Security Review - Chrome Native Messaging

Since Microsoft and Mozilla reportedly are implementing Chrome Extensions including Native Messaging it might be interesting with an an external review of the security in this system.

The following published extension of mine (and a bunch of similar extensions), exploring Chrome Native Messaging

could together with a maliciously written native program (there is no vetting of what an Native Message extension actually do), enable any web-page on any domain executing any native-level program without asking the user for a permission.

In spite of this I consider Native Messaging a brilliant concept that is well worth a more thought-through approach (including security model), and eventually receiving standards status.

The only viable alternative is removing Native Messaging altogether or hiding it behind an experimental option.

Anders Rundgren

Received on Thursday, 15 October 2015 05:38:01 UTC