Attacks/Breaches
6/1/2012
10:32 AM
Connect Directly
RSS
E-Mail
50%
50%

Google Chrome Tabs Let Malware Sneak Into Businesses

Enterprises need to watch for "bring your own browser" attacks. Using Google Chrome tabs, malware could piggyback into a corporate environment in two ways.

Google Drive: 10 Alternatives To See
Google Drive: 10 Alternatives To See
(click image for larger view and for slideshow)
Google Chrome users: Watch your sync habits. The browser's ability to synchronize tabs across different computers could be used by a malicious attacker to eavesdrop on personal or corporate communications.

The tab-synchronization capability appeared last month in the latest version of the Google Chrome browser, and allows users to synchronize their open browser tabs across devices. As a result, users can log into any version of the Google Chrome browser--on home PCs, work PCs, or mobile devices--and access their saved tabs.

Unfortunately, the same would go for malware. "Consider the following scenario: The user is signed in to Chrome on both work and home computer. ... The home computer gets infected by a malware. Now all of the work synced data (such as work-related passwords) is owned by the malware," said Rob Rachwald, director of security strategy at Imperva, in a blog post.

"We name this kind of threats BYOB for 'Bring Your Own Browser,'" he said. "While BYOD creates challenges of mixing work data and personal end points, BYOB does exactly the same--but it's more elusive as there's no physical device involved."

Furthermore, IT departments could have difficulty successfully spotting and blocking malware that infiltrates the enterprise in this manner, especially given the number of attacks that could be launched from an infected home PC. "Even if the malware gets disinfected on work computer, the malware is able to infect over and over again--as the root cause of the infection--the home computer--is outside of the reach of the IT department," Rachwald said.

Two Ways In

Google didn't immediately respond to a request for comment about the feasibility of this attack, or steps that users could take to mitigate this type of threat. To be sure, this is a theoretical attack; no such Chrome-targeting malware campaign has been seen in the wild. But malware could potentially piggyback into a corporate environment, using Chrome tabs, in two ways.

The first exploit technique would be if "the malware changes the homepage or some bookmark to point to a malware-infection site on the home computer," said Rachwald. "Settings are synced to your work environment. When you open your browser at work, you get infected with some zero-day drive-by download." In this scenario, attackers could instruct the malware to keep attacking the corporate network, and even vary the attack being used, in an attempt to evade defenses. This would be difficult for a business to stop with complete reliability.

"Even if the malware gets disinfected on work computer, the malware is able to infect over and over again, as the root cause of the infection--the home computer--is outside of the reach of the IT department," he said.

Another potential attack vector would be if the malware installed a rogue Chrome extension, and such extensions have appeared on the official Chrome Web Store in the past. As Google notes, "anyone can upload items to the Chrome Web Store, so you should only install items created by people you trust," and by reviewing the ratings and reviews for an extension to help deduce whether it's reliable. Google quickly removes any malicious Chrome extensions, once they're spotted. But until that happens, any malicious extension is able to operate with impunity.

"Chrome extensions are evil," noted Felix "FX" Lindner, head of Recurity Labs in Berlin. That comment came during a talk he delivered at Black Hat Europe earlier this year, in which he highlighted how Chrome extensions can be used by an attacker to inject JavaScript directly into the browser. What's more, any users who sign into Chrome on a different workstation will have their extensions automatically installed on the current PC. As a result, a malicious extension installed at home could easily appear on a workplace PC, creating a vulnerability similar to the one that Rachwald highlighted.

Why are malicious Chrome extensions so dangerous? "If you have an extension installed, it has ... pretty much omnipotent control over your Chrome browser," said Lindner, speaking by phone. "Google tries to prevent the extension from accessing your extension manager, but we've found ways to do it. Google fixed them, but I'm pretty confident that there are other ways."

Preventing users from installing Chrome extensions is nearly impossible. For starters, while the IT department can issue its own Chrome build, and set it to block extensions, you can install and run your own installation of the browser on any PC for which you have permission to write to the home directory--no administrator rights required.

Security defenses also won't spot malicious extensions. "This all being JavaScript and HTML, the corporate antivirus is not going to catch it--on top of the fact that you're downloading the extension via SSL from Google's Web store," said Lindner. "Unless corporate [IT] breaks SSL for you, they're not going to see it anyway.

Since the browser's preferences are handled with JavaScript, a malicious extension could automatically--and without a user being aware--install and run arbitrary code in the browser. For example, the extension might unleash a Trojan application that recorded everything the user did, or open a malicious website in the browser. Furthermore, if this extension was first installed at home, it would automatically get pushed to work when the user logged in there.

Attackers aren't the only concern for Chrome users, as the Google tab synchronization feature could also be used during digital forensic investigations. "Imagine there's a case against you at work, and they do forensics, and they get all of your accounts at home," said Lindner.

But the bigger picture, he said, is that users should consider the security implications of synchronizing information between Chrome tabs or even between Google services. "I'm really not sure who would want to: a) give all this information to Google, and then, b) actually sync it onto every single machine they're using," Lindner said. "So much for defense. But maybe I'm the wrong person to ask--I don't even have a Google account. Wrong religion."

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
6/1/2012 | 6:20:51 PM
re: Google Chrome Tabs Let Malware Sneak Into Businesses
Yet another reason NOT to trust Google when it comes to security and/or protection of your personal information. btw - IE10 will be shipped with "Do Not Track" enabled by default. Try getting Google to help you out with that...
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.