Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Google Chrome Extensions: 6 Security Facts

Malicious Chrome extensions, once they have a toehold on your computer, can wreak havoc via your browser. Understand the security implications.

Google Chrome 10 Boosts Performance, Management
Slideshow: Google Chrome 10 Boosts Performance, Management
(click image for larger view and for slideshow)
A recent crime campaign targeting Facebook users used a novel attack vector: malicious Chrome extensions.

The attack, which occurred in Brazil, "caught our attention not because it asks the user to install a malicious extension, but because the malicious extension [is] hosted at the official [Google] Chrome Web Store," said Fabio Assolin, a security researcher at Kaspersky Lab, in a blog post. "If the user clicks on 'Install aplicativo' he will be redirected to the official store. The malicious extension presents itself as 'Adobe Flash Player,'" which is ironic, because Chrome not only includes a built-in version of the player, but also automatically updates it.

The existence of malicious Chrome extensions begs two questions: What can they do, and how can you stop them? Here are six related facts:

1. Extensions might spread Facebook attacks. In the case of the fake Flash Player, the extension first downloads a script file, which can then pipe commands to the user's Facebook profile, including having them "like" any page that the attacker designates. Attackers also can send any message they like via a user's Facebook profile, such as creating a post with a malicious script, or inviting more people to install the malicious Chrome extension or--potentially--a malicious Facebook application.

[ One security problem you won't have to worry about with Firefox? See Firefox Takes Privacy Lead With HTTPS By Default. ]

2. Malicious extensions can be monetized. Why would attackers bother with a malicious Chrome extension, or gaining access to people's Facebook profiles? "You're probably asking yourself how the bad guys are turning this malicious scheme into money," said Assolin. "Well, it's easy: they have total control of the victim's profile, so they created a service to sell 'Likes' on Facebook, especially focused [on] companies that want to promote their profiles, gaining more fans and visibility."

3. Extensions offer JavaScript capabilities. Facebook attacks notwithstanding, some security experts paint the overall Chrome information security situation in stark terms. "Chrome extensions are evil," said Felix "FX" Lindner, head of Recurity Labs in Berlin, in his "Apple Versus Google Client Platforms" session at Black Hat Europe this month. "Chrome extensions, if you've never done them, it's almost like they were invented for banking Trojans," he said. That's because the extensions can be used to rewrite anything that's in the browser, as well as to inject JavaScript. Historically, of course, an attacker would have to find a browser or Web application bug to exploit, then attempt to inject the JavaScript. "Only now it's built in, in Chrome, so it's a lot more stable and better," said Lindner--at least for attackers.

4. Google ID offers security weak point. How do attackers install malicious extensions? "One thing you can do is just break into the Google account" of a developer, said Lindner, and then replace a real extension with a malicious one. Within a few hours, the updated extension will typically be pushed to all active users. For such an attack to work, however, an attacker must first guess or steal a developer's Google account username and password, and the account would have to be unprotected by Google's free two-factor authentication. But that authentication aside, a dedicated attacker could find ways to steal developer credentials.

5. Vet extensions thoroughly. Google Chrome extensions wield enormous power. "Once you have a malicious extension in your Chrome browser, you're pretty much [expletive deleted]," Lindner said. For example, attackers can use a malicious extension to execute JavaScript, and the extension management dialog in Chrome is rendered in JavaScript. As a result, he said, an attacker "can automatically install extensions," for example by creating JavaScript code that simply clicks "yes" for any "do you want to install this?" prompts.

6. Google does nuke malicious extensions. In the case of the Facebook attack that served up a malicious Chrome extension, "We reported this malicious extension to Google and they removed it quickly," said Kaspersky's Assolin. "But we noted the bad guys behind this malicious scheme are uploading new extensions regularly, in a cat-and-mouse game." To date, the extension appeared to have been installed by about 1,000 people, mostly in Brazil and Portugal.

With these potential security risks in mind, "think twice before installing a Google Chrome extension," said Assolin.

The biggest threat to your company's most sensitive data may be the employee who has legitimate access to corporate databases but less-than-legitimate intentions. Follow our advice in our Defend Data From Malicious Insiders report to mitigate the risk. (Free registration required.)

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SupportforBrowser
50%
50%
SupportforBrowser,
User Rank: Apprentice
7/10/2018 | 3:49:37 AM
Most of us were unaware of this fact:
Thank you sharing this information most of us were unaware that google chrome support all this features to protect our information.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16271
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows remote attackers to read and modify data in the KeePass database via a WebSocket connection.
CVE-2020-16272
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, which allows remote attackers to read and modify data in the KeePass database via an A=0 WebSocket connection.
CVE-2020-8574
PUBLISHED: 2020-08-03
Active IQ Unified Manager for Linux versions prior to 9.6 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service enabled allowing unauthorized code execution to local users.
CVE-2020-8575
PUBLISHED: 2020-08-03
Active IQ Unified Manager for VMware vSphere and Windows versions prior to 9.5 are susceptible to a vulnerability which allows administrative users to cause Denial of Service (DoS).
CVE-2020-12739
PUBLISHED: 2020-08-03
A vulnerability in the Fanuc i Series CNC (0i-MD and 0i Mate-MD) could allow an unauthenticated, remote attacker to cause an affected CNC to become inaccessible to other devices. The vulnerability is due to improper design or implementation of the Ethernet communication modules of the CNC. An attack...