Risk

3/26/2012
01:43 PM
50%
50%

Google Chrome Extensions: 6 Security Facts

Malicious Chrome extensions, once they have a toehold on your computer, can wreak havoc via your browser. Understand the security implications.

Google Chrome 10 Boosts Performance, Management
Slideshow: Google Chrome 10 Boosts Performance, Management
(click image for larger view and for slideshow)
A recent crime campaign targeting Facebook users used a novel attack vector: malicious Chrome extensions.

The attack, which occurred in Brazil, "caught our attention not because it asks the user to install a malicious extension, but because the malicious extension [is] hosted at the official [Google] Chrome Web Store," said Fabio Assolin, a security researcher at Kaspersky Lab, in a blog post. "If the user clicks on 'Install aplicativo' he will be redirected to the official store. The malicious extension presents itself as 'Adobe Flash Player,'" which is ironic, because Chrome not only includes a built-in version of the player, but also automatically updates it.

The existence of malicious Chrome extensions begs two questions: What can they do, and how can you stop them? Here are six related facts:

1. Extensions might spread Facebook attacks. In the case of the fake Flash Player, the extension first downloads a script file, which can then pipe commands to the user's Facebook profile, including having them "like" any page that the attacker designates. Attackers also can send any message they like via a user's Facebook profile, such as creating a post with a malicious script, or inviting more people to install the malicious Chrome extension or--potentially--a malicious Facebook application.

[ One security problem you won't have to worry about with Firefox? See Firefox Takes Privacy Lead With HTTPS By Default. ]

2. Malicious extensions can be monetized. Why would attackers bother with a malicious Chrome extension, or gaining access to people's Facebook profiles? "You're probably asking yourself how the bad guys are turning this malicious scheme into money," said Assolin. "Well, it's easy: they have total control of the victim's profile, so they created a service to sell 'Likes' on Facebook, especially focused [on] companies that want to promote their profiles, gaining more fans and visibility."

3. Extensions offer JavaScript capabilities. Facebook attacks notwithstanding, some security experts paint the overall Chrome information security situation in stark terms. "Chrome extensions are evil," said Felix "FX" Lindner, head of Recurity Labs in Berlin, in his "Apple Versus Google Client Platforms" session at Black Hat Europe this month. "Chrome extensions, if you've never done them, it's almost like they were invented for banking Trojans," he said. That's because the extensions can be used to rewrite anything that's in the browser, as well as to inject JavaScript. Historically, of course, an attacker would have to find a browser or Web application bug to exploit, then attempt to inject the JavaScript. "Only now it's built in, in Chrome, so it's a lot more stable and better," said Lindner--at least for attackers.

4. Google ID offers security weak point. How do attackers install malicious extensions? "One thing you can do is just break into the Google account" of a developer, said Lindner, and then replace a real extension with a malicious one. Within a few hours, the updated extension will typically be pushed to all active users. For such an attack to work, however, an attacker must first guess or steal a developer's Google account username and password, and the account would have to be unprotected by Google's free two-factor authentication. But that authentication aside, a dedicated attacker could find ways to steal developer credentials.

5. Vet extensions thoroughly. Google Chrome extensions wield enormous power. "Once you have a malicious extension in your Chrome browser, you're pretty much [expletive deleted]," Lindner said. For example, attackers can use a malicious extension to execute JavaScript, and the extension management dialog in Chrome is rendered in JavaScript. As a result, he said, an attacker "can automatically install extensions," for example by creating JavaScript code that simply clicks "yes" for any "do you want to install this?" prompts.

6. Google does nuke malicious extensions. In the case of the Facebook attack that served up a malicious Chrome extension, "We reported this malicious extension to Google and they removed it quickly," said Kaspersky's Assolin. "But we noted the bad guys behind this malicious scheme are uploading new extensions regularly, in a cat-and-mouse game." To date, the extension appeared to have been installed by about 1,000 people, mostly in Brazil and Portugal.

With these potential security risks in mind, "think twice before installing a Google Chrome extension," said Assolin.

The biggest threat to your company's most sensitive data may be the employee who has legitimate access to corporate databases but less-than-legitimate intentions. Follow our advice in our Defend Data From Malicious Insiders report to mitigate the risk. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7682
PUBLISHED: 2018-06-22
Micro Focus Solutions Business Manager versions prior to 11.4 allows a user to invoke SBM RESTful services across domains.
CVE-2018-12689
PUBLISHED: 2018-06-22
phpLDAPadmin 1.2.2 allows LDAP injection via a crafted server_id parameter in a cmd.php?cmd=login_form request, or a crafted username and password in the login panel.
CVE-2018-12538
PUBLISHED: 2018-06-22
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage...
CVE-2018-12684
PUBLISHED: 2018-06-22
Out-of-bounds Read in the send_ssi_file function in civetweb.c in CivetWeb through 1.10 allows attackers to cause a Denial of Service or Information Disclosure via a crafted SSI file.
CVE-2018-12687
PUBLISHED: 2018-06-22
tinyexr 0.9.5 has an assertion failure in DecodePixelData in tinyexr.h.