Researchers have discovered four malicious extensions with more than 500,000 total downloads from the Google Chrome Web Store, a finding that reveals a key vulnerability in what is considered the Internet’s most secure browser. Google has removed the extensions.
Researchers from security firm ICEBRG stumbled upon discovery after discovery of suspicious activity in outgoing network traffic coming from a customer’s workplace. They soon discovered that it was generated by a Chrome extension called HTTP Request Header as it used the infected machine to visit ad-related web links. Researchers later discovered three other Chrome extensions — Nyoogle, Stickies, and Bookmarks Lite — that did the same thing. ICEBRG suspects that the extensions are part of a click-fraud scheme that generates revenue from click-games. But the researchers warn that malicious plugins can easily be used to spy on the people or organizations that install them.
“In this case, the self-reliability of third-party Google extensions, and the perceived risk of user control over these extensions, allow a widespread fraud campaign to succeed,” ICEBRG researchers wrote in Report published Friday. “In the hands of a sophisticated threat actor, the same tool and technique could have made a beachhead into the target’s networks.”
Google removed extensions from its Chrome Web Store after ICEBRG reported its findings privately. ICEBRG also alerted the National Cyber Security Agency of the Netherlands and US CERT. In the public report, ICEBRG goes on to explain how malicious extensions work:
By design, Chrome’s JavaScript engine evaluates (executes) JavaScript code contained in JSON. Due to security concerns, Chrome restricts the ability to retrieve JSON from an external source through extensions, which must be explicitly requested for use by the Content Security Policy (CSP). When the extension enables the ‘secure-eval’ permission (Figure 3), it can receive and process JSON from an external control server. This creates a scenario in which the extension author can inject and execute arbitrary JavaScript code whenever the update server receives a request.
The Change HTTP Request Header downloads the JSON via a function called ‘update_presets()’ which downloads a JSON blob from the ‘request-change(.) statement’
This is by no means the first time Chrome extensions have been abused. In late July and early August, unknown attackers compromised the accounts of at least two Chrome extension developers. Criminals then use the unauthorized access to automatically install extension updates that push ads into sites that users visit. Later in August, Renato Marinho, who is the research director of Morphus Labs and a volunteer at the SANS Institute, discovered a widespread banking scam that used a malicious extension in Google’s Chrome Web Store to steal passwords the goals.
Chrome is one of the Internet’s most secure browsers, in large part due to the rapid availability of security patches and the effectiveness of its security sandbox, which prevents untrusted content from interacting with critical parts of the device. operation. Maintaining that security is threatened by malicious extensions. People should avoid installing them unless the extensions provide a genuine benefit, and then after careful research into the developer or analysis of the extension’s code and behavior.
Image credit by Getty Images / Aurich Lawson