In association with heise online

29 May 2011, 13:55

Chrome Web Store has same security problem as Android Market

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Zoom The unofficial flash port of console classic Super Mario Land 2 requests permissions that include accessing your browsing history.
Source: David Rogers
Security expert David Rogers has criticised the system for adding extra functionality to Google's Chrome browser, which he says suffers from similar security deficiencies to those found in the Android smartphone operating system. Apps that are installed from the Chrome Web Store require complete sets of system permissions – for example, the unofficial console ports of Super Mario World 1 and 2 require access to the browser history, bookmarks and "your data on all websites". Users have the choice of either consenting or going without.

The "your data on all websites" permission is particularly troubling. The Flash version of the cult plumbing game is, according to Google's description of this permission, able to read data from any site visited, including "Your bank, your web email, your Facebook page". The app can also access saved cookies from other web sites, which it can use to authenticate itself with these web sites.

In some cases, it may indeed be sensible to grant an app these permissions – for example, an app which checks the page source of each web page visited for RSS feeds. Why a game such as Super Mario might need this information is, however, open to conjecture.

Roger's report has made quite a splash in the US media and both Super Mario World games have now been withdrawn from the Chrome Web Store. The second part had already been downloaded by nearly 14,000 users. Whether the game was actually up to no good is not clear.

In comments to SecurityNewsDaily, Google denied responsibility: "We don't make a habit out of commenting on individual apps"; although it retains the right to review or test products, Google "is not obligated to monitor the products or their content". Google is relying on support from users: "By making user rating and reviews available for all apps in the store, we believe the community will also flag these apps, either for removal, or with poor ratings."

Rogers proposes an alternative model, a monitoring system which, like a firewall, makes a decision each time an app tries to access anything. The decision as to what's good and what's bad should be handled by a policy framework which could be configured by the user or with policies supplied by trusted third-parties, in a manner comparable to the way child content filters and modern anti-virus software packages are maintained.

The Chrome Web Store can be used in Chrome running on all of the main desktop operating systems. The store is a key component of Google's new Chromebooks, which will be available in the UK from 15 June. The Chrome Web Store is the primary source of software for Chromebooks, performing the same role as Android Market does for Android.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit