
A Chrome extension that intercepts all form submissions on all websites - agjmills
https://blog.asdfx.us/
======
mikeecb
I changed the Chromium browser (as a masters project) to intercept suspicious
extension actions like inserting elements etc and to alert users of what the
extension is attempting to do. Using this proof-of-concept browser would have
helped you debug your ad injection problem!

[https://cypher.codes/writing/intercepting-suspicious-
chrome-...](https://cypher.codes/writing/intercepting-suspicious-chrome-
extension-actions)

\- Note: my project specifically tries to protect users from Facebook
hijacking and ad injection attacks - the two most common attacks on the CWS!

~~~
bert_
Thanks for this! (Also, you have the coolest last name)

------
throwaway2016a
Related story...

I once worked on a price comparison plugin and Firefox is very strict about
what your plugins are allowed to do. They review each one and have some strict
rules: like you can't load and execute Javascript from the web.

Most of our competitors just sent every URL you visited to their server. We
wanted to be better than that since that is an obvious privacy issue.

So we made all our plugins (IE, FF, Chrome) download a whitelist (regex array)
of shopping domains our search engine supported and it would only make API
calls to our server if it matched that list AND you were on a product page.

Had the added benefit of reducing our server load too.

The server still gets a list of every page you visit on eCommerce sites but
better than on all sites.

~~~
JoshMnem
Which extensions send every URL you visit to remote servers?

~~~
throwaway2016a
Too many

~~~
JoshMnem
Examples?

------
fenwick67
Not sure what the fuss is here, the permission is literally called "Read and
change all your data on the websites that you visit". It should be obvious
what it can do.

~~~
dmalvarado
Seems like there should be some additional protection in the extensions API,
if there is not already. "Read and change all your data on the websites that
you visit" vs. "And send it somewhere over the web" are two separate layers of
permission.

Footnote: I can't visit the page. Blocked by corporate.

~~~
tyingq
Since extensions can inject arbitrary js, there isn't really a way to be that
granular.

You could, for example, exfiltrate data by injecting an image tag with some
extra url parameters on the url. Doesn't have to be xhr or websockets.

~~~
debaserab2
I don't see why that couldn't be sandboxed.

"Send and receive data from anywhere on the internet"

Image doesn't load if you don't accept. Same goes for any tag or function that
accesses external URI's.

~~~
AgentME
If the extension has permission to manipulate webpages, then the extension
could inject code (or an image element, etc) into any open webpage to make the
webpage do the request for it.

~~~
debaserab2
That wouldn't affect it any differently than non-injected code. No external
URI loading would occur from code sourced from an extension.

~~~
AgentME
What happens if an extension injects a script tag into the page with code to
wait a second and then add an image element into the page? The code would be
running outside of the extension's isolated world as normal code within the
page. (There's many ways like this to trigger code to be evaled through the
DOM API, and a lot of extensions depend on the ability to do this so they can
interact with the page's javascript values.) The system could be made to
remember that code spawned from an element inserted by the extension is still
associated with the extension and its permissions, but then there's a lot of
possible interactions that can get hairy from there.

If we assume that any code parsed from eval (and equivalent functions)
inherits the association of the code eval was called from, then if the webpage
defines a function like this:

    
    
        function runAfterOneSecond(fn) {
          setTimeout(fn, 1000);
        }
    

Then the extension can inject a script tag that calls runAfterOneSecond but
passes it a string (which setTimeout evals internally) that contains code to
inject an image. If that eval'd code is supposed to retain the association
with the extension, then that would have to be tracked through the string. Do
all strings now require an association field? What if the page code creates a
new string based on that string? Does that new string get the association too?
What if two strings associated with different extensions are combined? Do the
associations get combined so that any code created from the string (or created
from anything created from that string transitively) has the union of all of
their security limitations?

If instead of tracking the associations of values, you tracked whether the
extension was on the call stack at the time of code being parsed, then you're
out of luck there too. Imagine a page with the code `eval(getCode())`: if the
extension overrode the getCode() function, then it could get the page to eval
whatever it wanted. Certain popular web frameworks often eval code from the
DOM (think inline templates), so it would be easy to write a more generic
attack to have the extension stick some code into the DOM formatted in the
specific way that the web framework recognizes so that it will eval and run it
later.

And even if you did manage to successfully restrict extensions from network
requests, you'd end up with an extension that can't ever add elements to the
page or manipulate elements that reference any external content. You couldn't
make an extension for previewing an image on link hover. You could only add a
button with an icon on it if that icon was an inline data uri. You probably
couldn't reuse classnames from the page's css that referenced a remote
background image or font. I would expect that nearly all page-interacting
extensions would request the network permission just so they could get
anything done. Chrome probably wouldn't spell out that permission in the
permissions dialog (instead grouping it into the "Extension can read and
change your data on all sites you visit" line) because of how common it was.
... And then they probably wouldn't go through the huge amount of effort and
redesigns to support that permission in the first place.

~~~
debaserab2
I don't know enough about the chromium security model to validate your
assumptions. I'm speaking more as an API, this is what it _should_ do.

Presumably the implementation would have a mechanism for tracking injected
code and treating modified code as suspect.

------
paulpauper
I only heard about this a few week ago and I thought I was up-do-date on
internet security. It may be obvious to others, I had no idea an extnetion
could do this. This means it can steal you login like phishing but without a
spoof URL. I now disable all extensions when logging into important websites

~~~
DougBTX
Another thing you could do is use incognito mode, which disables extensions by
default.

[http://www.tomsguide.com/faq/id-2384484/enable-disable-
chrom...](http://www.tomsguide.com/faq/id-2384484/enable-disable-chrome-
extensions-incognito-mode.html)

~~~
paulpauper
the problem with incognito is that it does not always clear the cookies when
you close it

------
thinkcontext
Did you report the malicious extension? Its still available from the Chrome
store.

------
AznHisoka
This is not new. In fact, I'd estimate 20% of all popular plugins know all the
websites you're visited, Google searches you're doing, etc:
[https://www.howtogeek.com/180175/warning-your-browser-
extens...](https://www.howtogeek.com/180175/warning-your-browser-extensions-
are-spying-on-you/)

It's how SimilarWeb and other clickstream companies get their data. They claim
it's harmless, but they have the ability to know everything you've inputted,
and all the secure URL's you've visited (aka that intranet page with all your
company salaries or passwords that you think nobody on the web knows about)

~~~
zulln
"Chrome Extensions - AKA Total Absence of Privacy" Detectify's blog post about
the subject, mentions Similar web as well.

[https://labs.detectify.com/2015/11/19/chrome-extensions-
aka-...](https://labs.detectify.com/2015/11/19/chrome-extensions-aka-total-
absence-of-privacy/)

------
whiskeySix
So malware. You wrote some malware.

~~~
vesrah
I think you mean development tool.

------
myinitialsaretk
Great demonstration. You could probably just as easily listen for blur on form
fields and be even more dangerous.

------
codedokode
I never install browser extensions because it is difficult to check what they
are doing and many of them require access to all sites. Users should check who
wrote the extension and whether they trust the author.

------
thereIsCon
That's why I login into my bank or other important accounts in incongnito
mode, where, I make sure extensions stay disabled.

------
paulpauper
Does not work for blockchain.info but does for reddit, hackernews, and
facebook

