
Malware in the browser: how you might get hacked by a Chrome extension - kjaer
https://kjaer.io/extension-malware/
======
Hamcha
If you like to tweak your Chrome install, check out:

chrome://flags/#extension-active-script-permission

It adds an extra level of permission where each extension that doesn't ask for
a specific website is, by default, locked out of every website, and you have
to enable it manually by either clicking on it, whitelisting the websites
where it can run or globally (example pic, sorry for not being in english:
[http://puu.sh/q5QFR/d6004da3bb.png](http://puu.sh/q5QFR/d6004da3bb.png))

~~~
emodendroket
Is whitelisting extensions possible?

------
lorenzhs
A big problem is also with unmaintained extensions that are being bought my
malicious players (or developers' accounts hijacked), which then slap on an
adware script and push a new version. That way, a previously good extension
with a legitimate reason for "accessing your data on all websites" can
silently become malicious.

~~~
Animats
Yes. Mozilla also allows that, which is really sleazy for Mozilla.

~~~
Sylos
Uhm, Mozilla does a code review of every extension or update to an extension
before it gets published on AMO, so it should hardly be possible for a
malicious third party to do malicious things...

~~~
Animats
There's an outfit called WIPS which buys up abandoned Firefox add-ons and puts
adware and spyware in them.[1] BlockSite [2] is an example. This was approved
by Mozilla AMO.[3]

[1] [http://www.ghacks.net/2013/03/12/mozilla-needs-a-new-
audit-p...](http://www.ghacks.net/2013/03/12/mozilla-needs-a-new-audit-
process-in-regards-to-add-on-ownership-changes/) [2]
[https://addons.mozilla.org/en-
US/firefox/addon/blocksite/rev...](https://addons.mozilla.org/en-
US/firefox/addon/blocksite/reviews/?page=3) [3]
[https://bugzilla.mozilla.org/show_bug.cgi?id=903799](https://bugzilla.mozilla.org/show_bug.cgi?id=903799)

------
the_duke
The issue with Chrome extensions, just like with android apps, is that people
never check the permissions and just click OK.

Extensions make it even easier to install them, though, just need to redirect
a user.

I've also come upon some spam sites that try to get you to install extensions
with annoying alerts that prevent you from closing the page, playing a
recorded message "To close the page, just install the XX extension".

The only remedy is good screening in the app stores. Actually, for
apps/extensions installed from the official repository, I would be OK with
remote removal. This would probably spark an outcry from certain parties, but
as long as it does not extend to manually installed extensions it's acceptable
to me.

~~~
zeta0134
I remain baffled that alerts in modern browsers are still handled with an OS-
level modal dialog that prevents interaction with the browser's interface
elements.

Couldn't the alert instead be rendered as an overlay to the page itself, be
modal to just that tab, and not disable the browser Chrome? This would make it
much harder for pages to "trap" users with alert spam. The existing policies
(don't allow this page to create more dialogs -> page instantly redirects to
itself to reset the flag) aren't doing a good enough job.

~~~
atomwaffel
> Couldn't the alert instead be rendered as an overlay to the page itself, be
> modal to just that tab, and not disable the browser Chrome?

Firefox and Safari do exactly that.

> The existing policies (don't allow this page to create more dialogs -> page
> instantly redirects to itself to reset the flag) aren't doing a good enough
> job.

Does that work? I've never seen any pages that circumvent alert blocking like
that, and I'd have imagined that any sensible implementation would disable
alerts for the entire session (or at least a few minutes).

~~~
zeta0134
I don't know what the exact exploit of the behavior is, but I've observed it
on several "infected" computers while working in tech support. I've seen it on
Internet Explorer, Microsoft Edge, Google Chrome, and some variation of it on
Safari, all of which I was only able to remedy by forcefully closing the
browser using the task manager or equivalent.

Truthfully, I have not actually observed this behavior on Firefox, and I'm
quite thankfully no longer in the business of providing technical support to
personal computer users, so hopefully I never will.

------
gnicholas
My company has a Chrome/Firefox extension with ~60k users. We have been
approached repeatedly by companies that want us to add in their tracking
snippet to our extension. What they offered—tens of thousands of dollars every
year—was tempting, but we didn't take the bait.

They were opaque with us about what the code did (they didn't share the actual
code without NDA, and we never got that far). But I did get to see the snippet
they wanted us to add to our privacy policy, which was devilishly opaque. It
arguably disclosed everything that would be done, but it did so in a way that
sounded very benign.

I googled some phrases from the privacy policy insert and found that they had
in fact gotten several extensions to include the code. Scary.

~~~
JadeNB
> I googled some phrases from the privacy policy insert and found that they
> had in fact gotten several extensions to include the code. Scary.

Could you share those phrases, so that we can do the same Googling?

~~~
gnicholas
Looks like someone already did:
[https://www.reddit.com/r/programming/comments/3tgiaj/chrome_...](https://www.reddit.com/r/programming/comments/3tgiaj/chrome_extensions_aka_total_absence_of_privacy/cx6ha2u)

Leave off "site:chrome.google.com" and see a few more results. Looks like they
don't have many takers these days (or have updated their privacy insert to
make it harder to find them all).

------
stockkid
Thanks for raising awareness of the possible danger of Chrome extension as a
malware. I recently built my first Chrome extension and was amazed by what
harm an extension could do if the maker had bad intension.

The danger is that many people do not pay much attention to the requested
permissions.

To fight the issue, I think there should be a culture of open sourcing Chrome
extensions. I open sourced mine, and if I build one again, I would.

~~~
groby_b
I think it's great you did, but... People are not reading the permission
request dialogs. How likely do you think it that they read the actual source?
;)

------
ungzd
Extensions like this are just the same as .exe adware downloaded and installed
by user (not automatically).

More serious problem is legitimate extensions that are trusted by lots of
users then being sold to some rogue company, then lots of users receive
malware with update.

~~~
angry-hacker
The same goes for wordpress plug-ins. Once you're approved, you can push make
are to hundreds of thousands machines. Or whatever you need to do - back
links, redirects and other crap.

------
Noseshine
I'm not sure, so this is not really an accusation, but I think I had such
problems with BetterTTV
([https://chrome.google.com/webstore/detail/betterttv/ajopnjid...](https://chrome.google.com/webstore/detail/betterttv/ajopnjidmegmdimjlfnijceegpefgped)),
a Chrome extension for Twitch chat.

I had trouble with Google suddenly asking me to prove I'm not a bot - for
months. I ended up buying a new router because my old one hadn't seen any
updates in ages, just in case that got hacked.

Long story short, after some experimenting the only thing that seemed to shut
Google up was to disable this extension.

This extension _does_ load code from a remote site, they write it is because
having new releases approved takes too long so this is how they work around
it. I had BTTV report a newer version number than there was in the Chrome Web
Store for that reason.

I don't understand they are allowed to do that, quite openly even? It defeats
the purpose of the Chrome Web Store and any guarantees by Google are worthless
if extensions can just load some of their code from somewhere else.

Now, this extension actually _is_ open source
([https://github.com/night/BetterTTV](https://github.com/night/BetterTTV)) and
I have not read about any suspicions like mine from anyone else. Still, as I
said above, Google only stopped asking me to verify I'm no robot after
disabling this extension, and I tried several times (on/off).

And the code loading happens quite officially, I first read it on the
extensions developer website itself. From their github README:

    
    
        > Files not included in the repo are pulled from the actual server,
        > so everything works.

------
anonymousDan
Google gave a good overview of the screening they perform for extensions in a
paper at usenix security last year:
[https://www.usenix.org/conference/usenixsecurity15/technical...](https://www.usenix.org/conference/usenixsecurity15/technical-
sessions/presentation/jagpal)

Basically, at their scale it's a hard problem, especially if you need to redo
your analysis after every update to an extension and you can't afford a high
false positive rate.

~~~
Sylos
Well, Mozilla found a solution. And that's the brute-force solution. Just
throw human code-reviewers at the problem until it solves itself.

I'm guessing Google would have more extensions to review than Mozilla and
could not rely as much on volunteers as Mozilla can, but Google also has
something like an order of magnitude more money, so I'm sure they could work
something out, if they really wanted to.

------
NobleSir
4ish years ago I had an old, unupdated netbook get infected with conduit
extension, which spread through the sync mechanism to my newer laptops.

------
cloudjacker
There have been extensions out for years that would swap bitcoin addresses
with their own one. Extensions unrelated to bitcoin

------
Herrera
A somewhat related topic:

A few months ago Google fixed a vulnerability on the inline installation. It
was possible to start a install on the attacker's website and then redirect
the page to an arbitrary one. This would confuse the user, making him believe
that the install came from the arbitrary page.

Here is the PoC if anyone is interested (CVE-2016-1640):
[https://www.youtube.com/watch?v=f_9ObDqBoo8](https://www.youtube.com/watch?v=f_9ObDqBoo8)

------
mistat
Great article, i like the in-depth analysis of how this actually works. Cheers
for the share.

------
616c
This example is hilarious, granted, but not even the one I truly worry about.

I work in a lax multi-national corporate environment, to be vague. These
extensions, especially with religiously conservative adults, is of limited
concern.

I am far more concerned about the semi-professional extensions.

I doubt this is malicious, but someone installed this in my environment and
inquried why the quality of output went down (in terms of pixelation).

[https://chrome.google.com/webstore/search/screenshot?hl=en-U...](https://chrome.google.com/webstore/search/screenshot?hl=en-
US)

The problem here is it raises fewer eyebrows. It does a purpose-filled
operation professionals would need, and they are far less discerning than me.

This person had Adobe Acrobat Pro, and forgot. Such extensions have real
potential to IOC (indicators of compromise), but only very expensive next-
generation malware detection knows that when it sees traffic out.

But what if there is no traffic out? Or it does a more professional job with
exfil?

Most modern software inventory has no intelligence into plugins. That is
terrifying. Per-user javascript directories? Enumerating just the obvious ones
can be a full-time job?

What about dupes? I am the only one I know in my department who uses uBlock
... Origin. And I know there is a fork. Others are intended to have a similar
logo and fool busy professionals.

I love FF, but also use Chromium. I am worried that the freedom afforded to me
by the beauty of things like Keysnail, like the generally abstracted trend of
vendor lockdown, forces me to voluntarily suck it up and deal with crap
software defaults and workflows, and doubly recommend the same to people in my
environment. I will increasingly have to part with each of the limited
extensions I like, all while people here push Electron apps. I like them (who
am I to be arrogant and judge the work of these people half my age; at least
they put out code while I bitch all day), but the browser base is not
discernibly updated or managed unless some developers coordinate. I am sure
that came or is coming down the line, but currently populars apps will play
catch up while people like me are forced to preemptively yet again restrict
use of likeable tech because security was an afterthought.

Qubes increasingly looks like the future. It is sad, but I must every few
years consume more resources of my computer for useful, but wasteful,
separation of software from its self, because, well, queue the recently
retracted Theo de Raadt "x86 virtualization being secure is a waste of time"
trope rescinded because even his OpenBSD crew will bite the bullet and work on
OpenBSD virt technology.

I just depressed myself.

Sincerely, Guy running multiple browsers in Firejail in a VM

EDIT: I do not the difference between have and half apparently; probably a
sign of my age, haha!

------
jamiesonbecker
This article actually indicates a (probably bug-bounty'able) flaw in the
Chrome webstore security checks:

> The script that it fetches from the above server is a malware payload. The
> extension needs to download it after having been installed because it cannot
> ship with the payload if it wants to pass through the Chrome Webstore’s
> security checks.

There probably are legitimate reasons to pull in remote content, but I can't
think of any that can't be worked around. You'd think that Google's own
malware tracking would pick up
[http://104.131.35.136:9999/](http://104.131.35.136:9999/) as a bad site, but
the malware author takes care to hide that delivery mechanism behind a header
check.

So, to me, ANY request or evals by extensions should (at the very least) be
detected and constitute a separate permissions category, or, better yet,
BLOCKED _as a violation of same origin policy._

~~~
tokenizerrr
I don't get where you're going with this. The extension has the "<all_urls>"
permission which explicitly allows it to do this. It also explicitly turned on
unsafe-eval.

~~~
jamiesonbecker
> The extension has the "<all_urls>" permission which explicitly allows it to
> do this.

<all_urls> have nothing to do with the browser's normal Same Origin Policy for
individual web pages. All URL's indicates that the extension is allowed to
operate on all pages loaded in the browser window.

It has nothing to do with the resources loaded by the extension. In other
words, I'm talking about (for a start), this "Regular web pages.. limited to
Same Origin Policy. Extensions can talk to remote servers outside of its
origin."

[https://developer.chrome.com/extensions/xhr](https://developer.chrome.com/extensions/xhr)

In other words, extension should be treated as operating within the context of
that tab; in other words, a locked-down sandbox for that tab.

Cross-origin permissions as noted above should be flagged to the user and
should apply across the board to any injectable resource (including CSS, HTML,
Javascript, SVG, etc.)

Otherwise, outside resources should fall into the Same Origin Policy (i.e., if
your tab is at [https://google.com/](https://google.com/), only resources
should be loaded from google.com.)

<all_urls> specifically refers to whether the extension is triggered on all
URL's that are visited in the browser or not. That permission is usually
needed.

Different origin attempts to communicate (read and/or write) any data on its
own to any third party server should fall under different permissions.

For more information on what _should_ have happened here, please see "Only
local script and and object resources are loaded":

[https://developer.chrome.com/extensions/contentSecurityPolic...](https://developer.chrome.com/extensions/contentSecurityPolicy#resourceLoading)

> It also explicitly turned on unsafe-eval.

That's a good point, and I agree; in fact, unsafe eval should be only be
allowable within the Same Origin Policy.

Also, this brings up another good point: some permissions are more risky than
others (for example, the legitimate use cases for unsafe eval are few). A
visual indicator of the relative severity of the requested CSP's when
installing the extension would probably help less technical people separate
when an extension is very risky. (Multiple red danger symbols would probably
be a good clue..)

~~~
tokenizerrr
Yes, regular pages are limited to their same origin policy. Extensions, when
they request it, are not. This extension requested it, so it is capable of
downloading files from any server to a string. It also requested unsafe-eval,
this lets it eval a string. Now, when you add one and one together, you have
two features combined in a malicious way. But not a bug.

Sure, things should be different. But they are the way they are, and
considering the way they are, this is not a bug. And certainly not bug-
bounty'able.

------
_Understated_
I am surprised that no one has mentioned this: Google can remove an extension
that is installed in your computer at any time!

Doesn't anyone else see that as incredibly overreaching?

------
jlarocco
The biggest surprise to me is that this has so many up votes on HN.

Getting "hacked" by a sleazy browser extension is about as surprising as
getting a virus after installing something from a warez site.

