Risk
3/26/2012
01:43 PM
Connect Directly
RSS
E-Mail
50%
50%

Google Chrome Extensions: 6 Security Facts

Malicious Chrome extensions, once they have a toehold on your computer, can wreak havoc via your browser. Understand the security implications.

Google Chrome 10 Boosts Performance, Management
Slideshow: Google Chrome 10 Boosts Performance, Management
(click image for larger view and for slideshow)
A recent crime campaign targeting Facebook users used a novel attack vector: malicious Chrome extensions.

The attack, which occurred in Brazil, "caught our attention not because it asks the user to install a malicious extension, but because the malicious extension [is] hosted at the official [Google] Chrome Web Store," said Fabio Assolin, a security researcher at Kaspersky Lab, in a blog post. "If the user clicks on 'Install aplicativo' he will be redirected to the official store. The malicious extension presents itself as 'Adobe Flash Player,'" which is ironic, because Chrome not only includes a built-in version of the player, but also automatically updates it.

The existence of malicious Chrome extensions begs two questions: What can they do, and how can you stop them? Here are six related facts:

1. Extensions might spread Facebook attacks. In the case of the fake Flash Player, the extension first downloads a script file, which can then pipe commands to the user's Facebook profile, including having them "like" any page that the attacker designates. Attackers also can send any message they like via a user's Facebook profile, such as creating a post with a malicious script, or inviting more people to install the malicious Chrome extension or--potentially--a malicious Facebook application.

[ One security problem you won't have to worry about with Firefox? See Firefox Takes Privacy Lead With HTTPS By Default. ]

2. Malicious extensions can be monetized. Why would attackers bother with a malicious Chrome extension, or gaining access to people's Facebook profiles? "You're probably asking yourself how the bad guys are turning this malicious scheme into money," said Assolin. "Well, it's easy: they have total control of the victim's profile, so they created a service to sell 'Likes' on Facebook, especially focused [on] companies that want to promote their profiles, gaining more fans and visibility."

3. Extensions offer JavaScript capabilities. Facebook attacks notwithstanding, some security experts paint the overall Chrome information security situation in stark terms. "Chrome extensions are evil," said Felix "FX" Lindner, head of Recurity Labs in Berlin, in his "Apple Versus Google Client Platforms" session at Black Hat Europe this month. "Chrome extensions, if you've never done them, it's almost like they were invented for banking Trojans," he said. That's because the extensions can be used to rewrite anything that's in the browser, as well as to inject JavaScript. Historically, of course, an attacker would have to find a browser or Web application bug to exploit, then attempt to inject the JavaScript. "Only now it's built in, in Chrome, so it's a lot more stable and better," said Lindner--at least for attackers.

4. Google ID offers security weak point. How do attackers install malicious extensions? "One thing you can do is just break into the Google account" of a developer, said Lindner, and then replace a real extension with a malicious one. Within a few hours, the updated extension will typically be pushed to all active users. For such an attack to work, however, an attacker must first guess or steal a developer's Google account username and password, and the account would have to be unprotected by Google's free two-factor authentication. But that authentication aside, a dedicated attacker could find ways to steal developer credentials.

5. Vet extensions thoroughly. Google Chrome extensions wield enormous power. "Once you have a malicious extension in your Chrome browser, you're pretty much [expletive deleted]," Lindner said. For example, attackers can use a malicious extension to execute JavaScript, and the extension management dialog in Chrome is rendered in JavaScript. As a result, he said, an attacker "can automatically install extensions," for example by creating JavaScript code that simply clicks "yes" for any "do you want to install this?" prompts.

6. Google does nuke malicious extensions. In the case of the Facebook attack that served up a malicious Chrome extension, "We reported this malicious extension to Google and they removed it quickly," said Kaspersky's Assolin. "But we noted the bad guys behind this malicious scheme are uploading new extensions regularly, in a cat-and-mouse game." To date, the extension appeared to have been installed by about 1,000 people, mostly in Brazil and Portugal.

With these potential security risks in mind, "think twice before installing a Google Chrome extension," said Assolin.

The biggest threat to your company's most sensitive data may be the employee who has legitimate access to corporate databases but less-than-legitimate intentions. Follow our advice in our Defend Data From Malicious Insiders report to mitigate the risk. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3352
Published: 2014-08-30
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh...

CVE-2014-3908
Published: 2014-08-30
The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.