Risk

3/26/2012
01:43 PM
50%
50%

Google Chrome Extensions: 6 Security Facts

Malicious Chrome extensions, once they have a toehold on your computer, can wreak havoc via your browser. Understand the security implications.

Google Chrome 10 Boosts Performance, Management
Slideshow: Google Chrome 10 Boosts Performance, Management
(click image for larger view and for slideshow)
A recent crime campaign targeting Facebook users used a novel attack vector: malicious Chrome extensions.

The attack, which occurred in Brazil, "caught our attention not because it asks the user to install a malicious extension, but because the malicious extension [is] hosted at the official [Google] Chrome Web Store," said Fabio Assolin, a security researcher at Kaspersky Lab, in a blog post. "If the user clicks on 'Install aplicativo' he will be redirected to the official store. The malicious extension presents itself as 'Adobe Flash Player,'" which is ironic, because Chrome not only includes a built-in version of the player, but also automatically updates it.

The existence of malicious Chrome extensions begs two questions: What can they do, and how can you stop them? Here are six related facts:

1. Extensions might spread Facebook attacks. In the case of the fake Flash Player, the extension first downloads a script file, which can then pipe commands to the user's Facebook profile, including having them "like" any page that the attacker designates. Attackers also can send any message they like via a user's Facebook profile, such as creating a post with a malicious script, or inviting more people to install the malicious Chrome extension or--potentially--a malicious Facebook application.

[ One security problem you won't have to worry about with Firefox? See Firefox Takes Privacy Lead With HTTPS By Default. ]

2. Malicious extensions can be monetized. Why would attackers bother with a malicious Chrome extension, or gaining access to people's Facebook profiles? "You're probably asking yourself how the bad guys are turning this malicious scheme into money," said Assolin. "Well, it's easy: they have total control of the victim's profile, so they created a service to sell 'Likes' on Facebook, especially focused [on] companies that want to promote their profiles, gaining more fans and visibility."

3. Extensions offer JavaScript capabilities. Facebook attacks notwithstanding, some security experts paint the overall Chrome information security situation in stark terms. "Chrome extensions are evil," said Felix "FX" Lindner, head of Recurity Labs in Berlin, in his "Apple Versus Google Client Platforms" session at Black Hat Europe this month. "Chrome extensions, if you've never done them, it's almost like they were invented for banking Trojans," he said. That's because the extensions can be used to rewrite anything that's in the browser, as well as to inject JavaScript. Historically, of course, an attacker would have to find a browser or Web application bug to exploit, then attempt to inject the JavaScript. "Only now it's built in, in Chrome, so it's a lot more stable and better," said Lindner--at least for attackers.

4. Google ID offers security weak point. How do attackers install malicious extensions? "One thing you can do is just break into the Google account" of a developer, said Lindner, and then replace a real extension with a malicious one. Within a few hours, the updated extension will typically be pushed to all active users. For such an attack to work, however, an attacker must first guess or steal a developer's Google account username and password, and the account would have to be unprotected by Google's free two-factor authentication. But that authentication aside, a dedicated attacker could find ways to steal developer credentials.

5. Vet extensions thoroughly. Google Chrome extensions wield enormous power. "Once you have a malicious extension in your Chrome browser, you're pretty much [expletive deleted]," Lindner said. For example, attackers can use a malicious extension to execute JavaScript, and the extension management dialog in Chrome is rendered in JavaScript. As a result, he said, an attacker "can automatically install extensions," for example by creating JavaScript code that simply clicks "yes" for any "do you want to install this?" prompts.

6. Google does nuke malicious extensions. In the case of the Facebook attack that served up a malicious Chrome extension, "We reported this malicious extension to Google and they removed it quickly," said Kaspersky's Assolin. "But we noted the bad guys behind this malicious scheme are uploading new extensions regularly, in a cat-and-mouse game." To date, the extension appeared to have been installed by about 1,000 people, mostly in Brazil and Portugal.

With these potential security risks in mind, "think twice before installing a Google Chrome extension," said Assolin.

The biggest threat to your company's most sensitive data may be the employee who has legitimate access to corporate databases but less-than-legitimate intentions. Follow our advice in our Defend Data From Malicious Insiders report to mitigate the risk. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SupportforBrowser
50%
50%
SupportforBrowser,
User Rank: Apprentice
7/10/2018 | 3:49:37 AM
Most of us were unaware of this fact:
Thank you sharing this information most of us were unaware that google chrome support all this features to protect our information.
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: So now we are monitoring the monitor?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14623
PUBLISHED: 2018-12-14
A SQL injection flaw was found in katello's errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak internal IDs. This is issue is related to an incomplete fix for CVE-2016-3072. Version 3.10 and older is vulne...
CVE-2018-18093
PUBLISHED: 2018-12-14
Improper file permissions in the installer for Intel VTune Amplifier 2018 Update 3 and before may allow unprivileged user to potentially gain privileged access via local access.
CVE-2018-18096
PUBLISHED: 2018-12-14
Improper memory handling in Intel QuickAssist Technology for Linux (all versions) may allow an authenticated user to potentially enable a denial of service via local access.
CVE-2018-18097
PUBLISHED: 2018-12-14
Improper directory permissions in Intel Solid State Drive Toolbox before 3.5.7 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2018-3704
PUBLISHED: 2018-12-14
Improper directory permissions in the installer for the Intel Parallel Studio before 2019 Gold may allow authenticated users to potentially enable an escalation of privilege via local access.