I spent in total something like 10 hours searching 78 of the top 100 extensions for signs of unsafe interactions with the web (yes, I failed downloading the extensions that are hidden behind a EULA, will do better next time). The result: 14 extensions with severe vulnerabilities (typically the kind of vulnerability that lets a web page take over your browser and even the computer if your browser runs with administrator privileges) and several proof of concept exploits. The good news: I don’t think that I missed too many vulnerable extensions, when I searched for more patterns I just kept finding new issues in the extensions that were already known to be vulnerable. More good news: none of the top 10 most popular extensions made the list. The bad news: many of the remaining extensions didn’t make this list simply because they don’t interact with the web or only interact with the web in ways that are relatively unproblematic. Some others were just too messy to get an overview in reasonable time, so it was impossible to understand whether questionable coding practices actually caused security issues.
Altogether, not too many extensions follow best practices that would protect them from such issues. The percentage is probably lower than for websites. But on the other hand, the potential consequences of vulnerable extensions are not comparable. The conclusion (which isn’t really new): more evangelizing for safe coding practices is needed. I recently published my first article on safe coding practices, more should follow. And AMO needs to push extension authors into abandoning questionable approaches, regardless of whether these approaches currently cause security issues.
PS: Oh, and while I was at it I found an issue in one of my extensions as well – fortunately not exploitable but still something I will need to fix.