How you might get hacked by a Chrome extension

CESV

Malware isn’t just about native executables or rogue apps, not any more -- a malicious browser extension can cause almost as many problems on all your devices at once.

With the right permissions, for example, your new Chrome add-on could steal your user credentials, post as you on social media, read your emails, help launch a DDoS attack, and more.

Worst of all, this isn’t even particularly difficult. Some carefully crafted JavaScript gives the hacker everything they need.

What can you do? The first step is to understand the possibilities, and Maxime Kjaer’s recent blog post can help.

The Computer Science student explains how he first noticed the symptoms, as a friend regularly liked "some weid, clickbaity links" on Facebook.

Following one of these links led to a message saying he needed to "verify his age" to view the content, which bizarrely could only be done by installing a Chrome extension.

Fortunately Kjaer realized something was wrong, looked into the problem, and found a group of rogue Chrome extensions which had infected more than 130,000 computers.

The rest of the post covers an analysis of the extension code and an explanation of what it does. You’ll get more from this if you understand JavaScript, but it’s not essential -- there are also general summaries for the not-so-expert.

One way to reduce your chance of being compromised is to check the source code of an extension before you check it, using something like the Chrome Extension Source Viewer.

Again, you really need to understand JavaScript to get the most from this, but even if you’re a total scripting newbie it’s surprising how much you can figure out on your own.

We visited the Chrome store page for Kickresume’s CV Builder, clicked the Chrome Extension Source Viewer button, and opened manifest.json. This is what we saw.

  1. {
  2.     "update_url": "https://clients2.google.com/service/update2/crx",
  3.     "name": "Resume, CV and Website builder",
  4.     "short_name": "Resume CV builder",
  5.     "description": "Kickresume helps you to create Resume, CV, Personal Website or Cover Letter in minutes and editors check your grammar.",
  6.     "version": "2.5.2.2",
  7.     "manifest_version": 2,
  8.     "icons": {
  9.         "128": "logo_128px.png",
  10.         "500": "logo_500px.png"
  11.     },
  12.     "app": {
  13.         "urls": [
  14.             "https://www.kickresume.com/?utm_source=Chrome%20Store&utm_medium=referral&utm_campaign=Chrome%20Store"
  15.         ],
  16.         "launch": {
  17.             "web_url": "https://www.kickresume.com/?utm_source=Chrome%20Store&utm_medium=referral&utm_campaign=Chrome%20Store"
  18.         }
  19.     }
  20. }

Even with no JavaScript knowledge, there’s nothing here that looks active, just a couple of URLs. These might in theory hold something malicious (they don’t in this case, Kickresume is entirely safe) but the code itself seems harmless.

Now here’s part of a manifest from Kjaer’s malicious add-on.

{
	"background": {
		"scripts": [
			"scripts/query-string.js",
			"scripts/install.js",
			"background.js"
		],
		"persistent": true
	},
	"content_security_policy": "script-src blob: filesystem: chrome-extension-resource: 'self' 'unsafe-eval'; object-src 'self'"
}

Running persistent scripts, in the background, with an "unsafe" security policy? There’s no way for a beginner to say that this is dangerous, or even uncommon, but if you’re unsure about the extension in the first place then it’s another reason to be careful.

Chrome Extension Source Viewer is a free extension for Google Chrome.

© 1998-2019 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.