Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security //

Apps

1/17/2018
09:05 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Google Chrome Extensions Hide Malice

Researchers from ICEBEG found malicious code hiding in four popular Google Chrome extensions. The search giant is working to fix the problem.

Google Chrome is the most popular web browser, and four extensions that can inject malicious code into it have been found hiding in plain sight on the Chrome Web Store.

ICEBRG, a US-based security firm, first noticed a problem that included an unusual amount of traffic emulating from a workstation to a European virtual private server (VPS) provider. This caused researchers to dig further, and issue a report on the situation.

What researchers found was a Chrome extension named "Change HTTP Request Header," which could download obfuscated JSON files from the "change-request[.]info" website -- IP address of 109.206.161[.]14 -- via an "update_presets()" function.

Now, Chrome can execute JavaScript code contained within JSON but it's not supposed to be able to do so without explicit permission. The extension snuck in a change in permissions to the browser before the JSON was downloaded and then executed.

The downloaded code was observed by ICEBRG to check for Chrome debugging tools and then halting the execution of the infected segment if those tools were found.

When active, the extension would create a WebSocket tunnel to the command and control server and establish proxy browsing traffic via the victim's browser. It then causes the affected systems to land on advertising sites to which referring sites are paid a "pay per click" bounty. The technique used to make this happen could be used for other malicious actions, however. Browsing the internal network of a victim and bypassing perimeter controls would be one situation that could be easily constructed by use of the same method.

Other Chrome extensions were found to use these same techniques. Specifically, Nyoogle-Custom Logo for Google, Lite Bookmarks and Stickies -- Chrome's Post-it Notes. All of these extensions had a reach of about 500,000 users.

Even though three out of the four extensions had been removed from the Chrome Web Store -- Nyoogle still remains -- they may remain active for unaware users in their browsers.

ICEBRG researchers note that they have notified the relevant parties to "coordinate responses," including the National Cyber Security Centre of The Netherlands (NCSC-NL), the United States Computer Emergency Readiness Team (US-CERT) and the Google Safe Browsing Operations team.

Google seems to be trying to increase extension security on Chrome by limiting code injection of any kind but that may not be practical for all types of software functions.

Google itself will have to come up with a better control mechanism than it currently shows now in order to be a truly enterprise-class browser that cannot be easily fooled.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21275
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
CVE-2021-21272
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting