Home / Others / Google Chrome extensions with 500,000 downloads found as malicious

Google Chrome extensions with 500,000 downloads found as malicious

Researchers have discovered four malicious extensions with more than 500,000 combined downloads of the Google Chrome Web Store, a finding that highlights a key weakness in what is widely considered to be the most secure Internet browser. Google has removed the extensions since then.

Researchers at security firm ICEBRG discovered the finding after detecting a suspicious increase in outgoing network traffic from a client's workstation. They soon discovered that it was generated by a Chrome extension called HTTP request header, since it used the infected machine to surreptitiously visit web links related to advertising. The researchers later discovered three other extensions of Chrome, Nyoogle, Stickies and Lite Bookmarks, which did much the same. ICEBRG suspects the extensions were part of a click fraud scheme that generated revenue per click rewards. But the researchers warned that the malicious add-ons could have been used to spy on the people or organizations that installed them.

"In this case, the inherent trust of third-party Google extensions and the accepted risk of user control over these extensions allowed an expansive fraud campaign to succeed," the ICEBRG researchers wrote in a published report. on Friday. "In the hands of a sophisticated threat actor, the same tool and technique could have enabled a beachhead in target networks."

Google removed Chrome Web Store extensions after ICEBRG privately reported their findings. ICEBRG also alerted the National Cybersecurity Center of the Netherlands and the US CERT. UU In its public report, ICEBRG went on to explain how the malicious extensions worked:

By design, Chrome's JavaScript engine evaluates (executes) JavaScript code contained in JSON. Due to security issues, Chrome prevents the ability to retrieve JSON from an external source through extensions, which must explicitly request their use through the Content Security Policy (CSP). When an extension enables permission & # 39; insafe-eval & # 39; (Figure 3) To perform such actions, you can recover and process JSON from an externally controlled server. This creates a scenario in which the author of the extension can inject and execute arbitrary JavaScript every time the update server receives a request.

The Change HTTP Request Header extension downloads JSON through a function called & # 39; update_presets () & # 39; that downloads a JSON blob & # 39; change-request [.] info & # 39;

This is not, in any way, the first time that Chrome extensions are abused. In late July and early August, unknown attackers jeopardized the accounts of at least two developers of Chrome extensions. Then, the criminals used their unauthorized access to automatically install extension updates that injected advertisements into the sites visited by the users. Later in August, Renato Marinho, who is the Research Director of Morphus Labs and a volunteer at the SANS Institute, discovered an elaborate bank fraud scheme that used a malicious extension in Google's Chrome Web Store to steal target passwords.

Chrome is widely regarded as one of the most secure Internet browsers, in large part due to the rapid availability of security patches and the effectiveness of its security-limited environment, which prevents unreliable content from interacting with key parties of the underlying operating system. Undermining that security is the threat posed by malicious extensions. People should avoid installing them unless extensions provide a real benefit, and then only after careful research in the developer or an analysis of extension code and behavior.

Source link