VERY bad CRXcavator score (954) due to version of RetireJS
Opened this issue · 4 comments
Check out the CRXcavator score at https://crxcavator.io/report/icpgjfneehieebagbmdbhnlpiopdcmna/3.1.4 . The problem seems to be the version of RetireJS.
I don't fully follow the issue here, can you please explain how this score might affect anything in this extension? I'd be happy to look into it given an example of a concern. If you're not comfortable providing an example here, please email me at the address in my public profile.
Regarding why I'm not connecting the concerns with this particular extension... I don't run content scripts, and I don't respond to messages posted from other sites or extensions. No external content is loaded by the extension, and I've been adamantly against accepting "offers" from external services to monetize on this extension (which would open it to issues as presented by the scan). The scores presented by this service seem to focus more on content which would be accessible on publicly accessible pages, or aren't given the same security constraints as a new tab override page; page and browser actions, for instance. New tab overrides and extension pages are executed by a different executor in Google Chrome, which treats them as sandboxed secure "sites" and acts differently from standard web pages. If there's a way to exploit these, I would be happy to hear about it. If you're aware of such an exploit, share it with Google before sharing with me as they offer monetary rewards for such security reports and I would hate for you to not get credit for discovering this.
First, let me apologize. I did not realize that RetireJS was a tool to find vulnerabilities. So when I saw the high score listed for it, I assumed that it was the vulnerability. Not the case. It is claiming to have found vulnerabilities. The report doesn't show what the vulnerabilities are, but I'm guessing that there is a more detailed view with that information, or you would have to run RetireJS yourself to see them.
That said, my concern was that the possible risk of an exploit due to the vulnerabilities the report found. I don't know enough about extension design to judge. But from what you say, I understand your skepticism. Perhaps the CRXcavator is making some assumptions which aren't correct for this extension. In that case, I'm thinking it would be worth letting them know so that they could adjust the test.
As is, a cautious user might be dissuaded from running the extension because of the "false positive" bad score.
I don't know how many users will actually see CRXcavator results. Tech savvy users may not even click the link. I wouldn't personally ever click a link with "excavator" as part of the name because it sounds like data mining to me. I had to research the tool in order to be comfortable clicking the link.
The report explains the "risks" individually. See, for example:
This lists all permissions in this extension (most of which are opt-in after install) as medium or high risk. Then, it lists some jQuery risks which again make little sense in a secure sandboxed extension.
That said, the service is offered by Duo as a means to help system administrator identify high risk extensions. Duo is a reputable company, and this service is a legit need in the extension authoring community.
Risk is subjective and conditional on the features exposed by an extension. I think this would be hard for Duo to "get it right" with everywhere extensions can touch. As an example which I don't see reflected in the tool: I consider extensions from individuals like myself to be higher risk than those from reputable companies. That's because an individual might have a higher incentive to monetize (going
I'll reach out to Duo and ask some questions.
Thanks for sharing the report and for the discussion about it!
Sounds like you have a good handle on it. I appreciate your efforts! I also appreciate you integrity .
Thanks!