Google Chrome is the world’s most popular browser, and it is often touted (somewhat erroneously) for security. Because of its popularity, Google Chrome is a prime target for hackers who want to cast a wide net for potential targets. Google has had to contend with numerous attacks against the Chrome browser, especially in the form of malicious browser extensions, in the past. It is this issue that has yet again surfaced according to new research.
The malicious browser extensions in question were uncovered by the network security firm ICEBRG Inc. Totaling four different extensions, researchers went in depth in a blog post to show their function and why they were so dangerous.
Initially, the post explained the issue with present day browser extensions in general, a key point to understanding the four current threats. The explanation is given as follows:
Web-based applications can enhance the user’s overall experience, they also pose a threat to workstation security with the ability to inject and execute arbitrary code. Coupling an extension marketplace style “easy install” for users, limited understanding of the underlying risks, and few compensating controls leaves organizations vulnerable to a serious and easily overlooked attack vector.
The malicious extensions were first discovered by ICEBRG when an alarming uptick in outbound network traffic was discovered on a “customer workstation to a European VPS provider.” The extensions were discovered to be the following; Change HTTP Request Header, Nyoogle – Custom Logo for Google, Lite Bookmarks, and Stickies – Chrome’s Post-it Notes. Following their discovery, ICEBRG researchers eventually concluded the extensions were being used for click-fraud and search engine optimization manipulation.
This is only half the story, however, as Chrome’s JavaScript engine has an exploitable function that makes these extensions a serious threat. The ICEBRG post describes the flaw as follows:
By design, Chrome’s JavaScript engine evaluates (executes) JavaScript code contained within JSON. Due to security concerns, Chrome prevents the ability to retrieve JSON from an external source by extensions, which must explicitly request its use via the Content Security Policy (CSP). When an extension does enable the ‘unsafe-eval’ permission to perform such actions, it may retrieve and process JSON from an externally-controlled server. This creates a scenario in which the extension author could inject and execute arbitrary JavaScript code anytime the update server receives a request.
The code injection that is made possible by Chrome’s JavaScript engine means a number of attacks are possible, and as a consequence, a hacker could have access to sensitive data with a few well-placed code injection attacks. While Google has removed the offending extensions from the download hub, the fact remains that many oblivious users likely still have these extensions installed on their Chrome browser (thus putting all surrounding networks at risk).
Kaspersky Lab’s Threatpost notes in their report on the malicious extensions that Google Chrome browser has roughly 60 percent of the browser market cornered. The implications of this are alarming if these browser extensions continue to worm their way into Google’s official download space, as like it or not, the company is vetting the extensions as “safe” to download. While the company is working with IT professionals to give them more control over blocking extensions from being downloaded by users on their network; much work still remains to be done to protect consumers.
