Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Chrome Extension. Show all posts

Chrome Extensions Continue to Pose a Threat, Even With Google's Manifest V3

 

Users have always found browser extensions to be a useful tool for increasing productivity and streamlining tasks. They have, however, become a prime target for malicious actors attempting to exploit flaws, impacting both individual users and companies. 

Despite efforts to boost security, several of these extensions have found ways to exploit vulnerabilities in Google's latest extension framework, Manifest V3 (MV3). SquareX's recent research explained how these rogue extensions can continue to evade crucial security protections, exposing millions of users to risks such as data theft, malware, and unauthorised access to sensitive information. 

Google has always had troubles with Chrome addons. In June 2023, the company had to manually remove 32 vulnerable extensions that had been installed 72 million times before being removed. 

Google's previous extension framework, Manifest Version 2 (MV2), was notoriously unstable. It frequently granted excessive rights to extensions and allowed scripts to be introduced without user knowledge, making it less complicated for cybercriminals to steal data, access sensitive information, and install malware.

In response, Google launched Manifest V3, which intended to improve security by limiting permissions and requiring extensions to declare their scripts in advance. While MV3 was supposed to address the vulnerabilities found in MV2, SquareX's study indicates that it falls short in important areas. 

Malicious extensions built on MV3 can still circumvent security measures and grab live video streams from collaboration services such as Google Meet and Zoom Web without requiring specific permission. They can even add unauthorised contributors to private GitHub repositories and send users to phishing pages masquerading as password managers. 

Furthermore, these malicious extensions, like their MV2 counterparts, can access browser history, cookies, bookmarks, and download history by displaying a fake software update pop-up that dupes users into downloading the malware. 

Once the malicious extension is installed, individuals and businesses are unable to notice its activity, leaving them vulnerable. Endpoint protection, Secure Access Service Edge (SASE), and Secure Web Gateways (SWG) are examples of security solutions that cannot dynamically assess potential risks in browser extensions. 

SquareX has created a number of solutions targeted at enhancing browser extension security in order to address these issues. Their strategy includes customised rules that let administrators choose which extensions to accept or ban depending on user ratings, reviews, update history, and extension permissions.

This system can prevent network requests from extensions in real time using policies, machine learning insights, and heuristic analysis. Additionally, SquareX is experimenting with dynamic analysis of Chrome extensions using a customised Chromium browser on its cloud server, which will provide greater insights into the behaviour of potentially malicious extensions.

New Tool Circumvents Google Chrome's New Cookie Encryption System

 

A researcher has developed a tool that bypasses Google's new App-Bound encryption cookie-theft defences and extracts saved passwords from the Chrome browser. 

Alexander Hagenah, a cybersecurity researcher, published the tool, 'Chrome-App-Bound-Encryption-Decryption,' after noticing that others had previously identified equivalent bypasses. 

Although the tool delivers what several infostealer operations have already done with their malware, its public availability increases the risk for Chrome users who continue to store sensitive information in their browsers. 

Google launched Application-Bound (App-Bound) encryption in July (Chrome 127) as a new security feature that encrypts cookies using a Windows process with SYSTEM rights. 

The goal was to safeguard sensitive data against infostealer malware, which operates with the logged user's access, making it impossible to decrypt stolen cookies without first achieving SYSTEM privileges and potentially setting off security software alarms. 

"Because the App-Bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app," noted Google in July. "Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn't be doing.” 

However, by September, several infostealer thieves had discovered ways to circumvent the new security feature, allowing their cybercriminal customers to once again siphon and decrypt sensitive data from Google Chrome. 

Google previously stated that the "cat and mouse" game between info-stealer developers and its engineers was to be expected, and that they never assumed that its defence measures would be impenetrable. Instead, they believed that by introducing App-Bound encryption, they could finally set the groundwork for progressively constructing a more robust system. Below is Google's response from the time:

"We are aware of the disruption that this new defense has caused to the infostealer landscape and, as we stated in the blog, we expect this protection to cause a shift in attacker behavior to more observable techniques such as injection or memory scraping. This matches the new behavior we have seen. 

We continue to work with OS and AV vendors to try and more reliably detect these new types of attacks, as well as continuing to iterate on hardening defenses to improve protection against infostealers for our users.”

Fake ChatGPT Chrome Extension Targets Facebook Accounts

 

As ChatGPT becomes increasingly well-known, more and more individuals desire to use cutting-edge chatbot. In turn, this makes them a desirable target for cybercriminals. 

This time around, hackers are using a browser extension called "Quick access to Chat GPT" as a ruse to trick unwary users, claims a recent blog post from the online privacy company Guardio. A while back, fake ChatGPT apps were used to spread malware and steal passwords. The extension, which has since been taken down from the Chrome Web Store, does, however, genuinely provide users access to the chatbot, unlike other fraudulent ChatGPT apps. 

The extension does this while also stealing every cookie that is saved in your browser, including security and session tokens for websites like YouTube, Twitter, and even your Google account. The hackers behind the extension can access your online accounts and steal your passwords with this information, while the primary target of the extension is Facebook accounts. 

Targeting prominent Facebook business accounts 

The hackers who created the extension, according to CyberNews, are closely monitoring people who have prominent Facebook business accounts. This makes sense considering how lucrative LinkedIn and Facebook Business accounts may be, and how frequently attackers target them. 

Those who install the extension will not only have their Facebook accounts compromised but also have bots utilise them to promote "Easy access to Chat GPT" even further.

Even worse, the hackers behind this effort have discovered a means to get around Facebook's security by renaming queries made through Meta's Graph API to the social media platform's servers. This allows them to handle a victim's "linked WhatsApp and Instagram accounts" according to Guardio's security analysts. 

You must exercise extreme caution while downloading and installing new browser extensions because so much of our daily activities now take place online. Bad extensions can manage to evade detection, just like malicious programmes. For this reason, before downloading an extension, you should always check its rating and reviews on the Chrome Web Store. When you click "Add to Chrome," you should, however, search for external evaluations on other websites or even videos that demonstrate an extension in use.

How to use ChatGPT securely and safely

The most recent trends are well known to hackers, who exploit them to develop fresh phishing schemes and other intrusions. In order to encourage you to click or download something, companies typically aim to create a sense of urgency, but in this case, ChatGPT has already done the legwork for them. 

The only option to skip the line and gain early access to ChatGPT is to pay $20 per month for ChatGPT Plus or to fulfil all conditions to gain early access to Microsoft's Bing with ChatGPT. 

There isn't an official browser plugin for ChatGPT yet. Indeed, "chat.openai.com" is the only place where you may now access OpenAI's chatbot online. It's possible that this will change in the future, and if it does, there will be several announcements and news stories regarding the new ChatGPT access method. 

You should probably make sure that the best antivirus software is loaded on your PC or the best Mac antivirus software is installed on your Apple computer if you're the impatient type who searches for quick ways to access ChatGPT. This will protect you from malware and other viruses if you encounter fraud similar to the one described above.

Hackers will probably continue to develop new strategies to utilise the well-known chatbot as bait until ChatGPT can be accessible by anybody without needing to join a waitlist or wait in a queue.

Malicious Chrome Extension Discovered Siphoning Private Data of Roblox Players

 

Customers at Roblox, the popular online game platform, are being targeted via malicious Google Chrome browser extension that attempts to siphon their passwords and private data. 

Threat analysts at Bleeping Computer uncovered two separate chrome extensions called SearchBlox, with more than 200,000 downloads, containing a backdoor that allow the hackers to steal users’ Roblox credentials and their Rolimons assets. 

It remains unclear clear whether the designer of these two extensions added the backdoor intentionally or if another hacker did, however, threat analysts were able to analyze their code and find the backdoor. 

The malicious extensions identified on the Chrome Web Store add a player search box to the users’ page that allows it to scan the game’s servers for other players. Although they have different icons, the extensions were both designed by the same developer and have identical descriptions. 

Surprisingly, the first extension was actually featured on the Chrome Web Store despite its three-star rating. Upon scanning the comment section on its review page, Roblox players seemed quite satisfied with the extension before the backdoor was suddenly added, which indicates that a threat actor was responsible and not its developer TheM2. 

To mitigate the potential threat, researchers advised Roblox players to uninstall the extension immediately, clear browser cookies, and alter the login credentials for Roblox, Rolimons, and other websites where they logged in while the extension was active. 

Additionally, the Google spokesperson confirmed that the extensions were removed immediately and would also be automatically erased from systems where they were installed. 

"The identified malicious extensions are no longer available on the Chrome Web Store," Google stated. The extensions are block listed and will be automatically removed from any user machine that previously downloaded them." 

This is not the first instance Roblox users have been the victims of cybercrime. Earlier this year in May, security experts identified a malicious file concealed inside the legitimate Synapse X scripting tool which is utilized to inject exploits or cheat codes into Roblox. 

Malicious hackers exploited Synapse X to deploy a self-executing program on Windows PCs that installs library files into the Windows system folder. This has the potential to break applications, corrupt or erase data or even send data back to the attackers responsible.

Malicious Chrome Extensions Siphoning Data from 1.4 million Users

 

Threat analysts at McAfee unearthed five malicious Chrome extensions manufactured to track user's browsing activity and deploy code into e-commerce websites. 

With over 1.4 million installs, the malicious extensions can alter cookies on e-commerce platforms without the victim’s knowledge so that scammers can receive affiliate payments for the purchased products. The five malicious extensions that exploit affiliate marketing are as follows: 

• Netflix Party (800,000 downloads), 
• Netflix Party 2 (300,000), 
• Full Page Screenshot Capture (200,000), 
• FlipShope Price Tracker Extension (80,000), 
• AutoBuy Flash Sales (20,000). 

"The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website," McAfee researchers Oliver Devane and Vallabh Chole explained. "The latter borrows several phrases from another popular extension called GoFullPage."

All five extensions employ an identical methodology to target users. The web app manifest ("manifest.json" file), responsible for managing the extension behavior on the victim’s system, loads a multifunctional script (B0.js) that sends the browsing data to a domain the hackers' control (“langhort[.]com”). 

The data is deployed via POST requests each time the victim visits a new URL. The stolen data includes the URL in base64 form, the user ID, device location (country, city, zip code), and an encoded referral URL. The researchers also disclosed that the user tracking and code injection behavior resides in a script named ‘b0.js’, which contains many other functions as well. 

Additionally, the security firm identified the evasive mechanism that delays the malicious activity by 15 days from the time of installation of the extension to help keep its activity concerted and avoid raising red flags. 

McAfee recommends users extensively check extensions before installing them, even if they already have a large install base, and to pay close attention to the permissions the extensions ask for, such as the permission to run on any website the user visits. 

Last month, security researchers at Kaspersky estimated that more than 1.3 million users have been impacted by malicious browser extensions in just the first six months of this year alone. In fact, from January 2020 to June 2022, researchers unearthed that more than 4.3 million users had adware concealed in their browser extensions. Although Google is working rigorously to eliminate malicious extensions, new ones continue to pop up at a rapid pace.

Brave Disabled a Chrome Extension Linked to Facebook Users

 

Last week, security analyst Zach Edwards stated how Brave had restricted the L.O.C. Chrome extension citing concerns it leaked the user's Facebook information to the third server without warning or authorization prompt. An access token used by L.O.C. was obtained easily from Facebook's Creator Studio online app. After retrieving this token — a text thread made up of 192 alphanumeric characters – from the apps, the chrome extensions can use it with Facebook's Graph API to get data about the signed-in user without being a Facebook-approved third-party app. 

The concern is whether this type of data access could be exploited. Without the user's knowledge, an extension using this token could, copy the user's file and transmit it to a remote server. It might also save the user's name and email address and use it to track them across websites. According to a Brave official, the business is working with the programmer to make certain changes — most likely an alert or permission prompt – to ensure the extension is appropriate in terms of privacy and security. 

In September 2018, Facebook announced a security breach impacting nearly 50 million profiles, it blamed criminals for stealing access tokens supplied by its "View As" function, allowing users to see how the profiles appear to others." They were able to steal Facebook access tokens, which subsequently used to take over people's accounts," said Guy Rosen, Meta's VP of Integrity.

Cambridge Analytica accessed people's Facebook profiles using a third-party quiz app which was linked to the social media platform. One would assume a quiz app won't disclose your Facebook profile information with others, and a Chrome extension won't do the same. Despite Facebook's assurances, some steps must be taken to prevent a repetition of the Cambridge Analytica scandal, the Creators Studio access tokens in the hands of a malicious and widely used Chrome extension might lead to a rerun of history. 

Part of the problem is Google's Chrome extensions seem easy to corrupt or exploit, and Meta, aside from reporting the matter to Google, has no immediate ability to block the deployment of extensions which abuse its Graph API. The Creator Studio token is detailed to the user's session, according to a Meta representative, meaning it will terminate if the extension user signs out of Facebook. And, if the token hasn't been transferred to the extension developer's server, as looks to be the situation with the L.O.C. extension, uninstalling it will also result in the token expiring. 

Meta has asked Google to delete the extension from the Chrome Web Store once more and is looking into alternative options.

Facebook has Exposed a 'God Mode' Token that Might be Used to Harvest Data

 

Brave stated that it is prohibiting the installation of the popular Chrome extension L.O.C. because it exposes users' Facebook data to potential theft. "If a user is already logged into Facebook, installing this extension will automatically grant a third-party server access to some of the user's Facebook data," explained Francois Marier, a security engineer at Brave, in a post. "The API used by the extension does not cause Facebook to show a permission prompt to the user before the application's access token is issued." 

Loc Mai, the extension's developer, stated in an email that the Graph API on Facebook requires a user's access token to function. The extension sends a GET request to Creator Studio for Facebook to receive the token, which allows users of the extension to automate the processing of their own Facebook data, such as downloading messages. The request returns an access token to the extension for the logged-in Facebook user, allowing additional programmatic interactions with Facebook data. 

Zach Edwards, a security researcher, said, "Facebook faced nearly an identical scandal in 2018 when 50 million Facebook accounts were scrapped due to a token exposure." Nonetheless, Facebook appears to regard this data dispensing token as a feature rather than a bug. 

According to Mai, his extension does not harvest information, as stated in the extension's privacy policy. Currently, the extension has over 700,000 users. "The extension does not collect the user's data unless the user becomes a Premium user, and the only thing it collects is UID – which is unique to each person," explained Mai. 

As per Mai, the extension saves the token locally under localStorage.touch. This is a security concern but is not evidence of wrongdoing. L.O.C. is still available on the Chrome Web Store. A malicious developer, on the other hand, might harvest Facebook data using the same access technique, because Facebook is releasing a plain-text token that grants "god mode," as Edwards describes it. 

According to Edwards, Facebook's Terms of Service fall short in this regard because, while the company requires individuals to utilize its app platform, it does not prohibit people from utilizing browser extensions. 

This loophole, which exposes user data, is exacerbated by the way Chrome extensions now work. According to Edwards, Chrome extensions can seek authorization on one domain you control and another you don't, and then open a browser tab upon installation to scrape API tokens and session IDs for various types of apps.

This New Tool Helps in Detecting Vulnerable Chrome Extensions

 

The researchers from CISPA Helmholtz Center for Information Security in Germany have built tools to assist in identifying Chrome extensions that are vulnerable to exploitation by malicious web pages and other extensions. 

Google revealed plans to revamp its browser extension platform in 2018 in order to make it more safe. Chrome extensions had vast rights under its prior platform regulations, known as Manifest v2, which could be easily abused. Many crooks have taken use of these powers. Google, for example, eliminated over 500 harmful extensions in February 2020. That was a month after Google barred new extensions from its Chrome Web Store in order to combat payment fraud. 

Along with its attempts to tidy up the Chrome Web Store, Google has been working on Manifest v3, a redesigned set of extension APIs that offer less features, at the cost of content blocking and privacy tools, but with reduced security and privacy risks. In January 2021, Google began accepting Manifest v3 extensions for evaluation. However, its most recent extensions are not without flaws, and earlier Manifest v2 extensions still continue to circulate.

CISPA Helmholtz boffins Aurore Fass, Dolière Francis Somé, Michael Backes, and Ben Stock took it upon themselves to create a tool termed DoubleX to assist in coping with the problem. They highlight their research in the paper termed "DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale," which is published in the Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, which will be held next week in South Korea. 

They stated that malicious extensions are only a small part of the extensions that cause security and privacy issues. Furthermore, benign extensions may include vulnerable code that may be abused by other extensions installed by the user. DoubleX is on the lookout for extensions that aren't harmful but can be exploited. 

DoubleX is a open-source static analyzer that detects potentially dangerous data flows. In other words, it doesn't simply hunt for malicious extensions; it also looks for exploitable data pathways. 

 How might these flaws be exploited?

According to the researchers, the presence of an eval function indicates that an attacker might possibly exploit the permissions of the vulnerable extension. When DoubleX was fed a considerable number of Chrome apps, it did discover some issues, but they were comparatively less. 

The paper stated, "We analyzed 154,484 Chrome extensions, 278 of which we flagged as having externally controllable data flows or exfiltrating sensitive user information. For those, we could verify that 89 per cent of the data flows can be influenced by an attacker, which highlights DoubleX precision." 

"In addition, we detected 184 extensions (with 209 vulnerabilities) that are exploitable under our threat model, leading to, e.g., arbitrary code execution in any website." 

Around 2.4 million to 2.9 million people are affected by these 184 extensions, with 172 vulnerable to a web attacker and 12 vulnerable through another unprivileged extension. The researchers claim they duly notified their results to developers if they could discover contact information, and to Google in other cases, from October 2020 to May 2021. According to them, 45 of the 48 vulnerable extensions discovered were still available in the Chrome Web Store as of July 2021. 

The paper stated, "Of those, 13 have been updated since our disclosure, but only five have been fixed (300k+ users, 50k+ users, 3k+ users, 2k+ users, and 35 users)."

Google Stops Displaying Security Warnings in Microsoft Edge, No Longer Recommends Switching to Chrome


Google has stopped advising Microsoft Edge users to switch to Chrome for a more secure experience as the browser extensions crafted for Google's Chrome web browser are also suitable for the new Microsoft's new Edge browser based on Chromium.

It appeared like Google stoked the flames of browser wars when it subtly encouraged Edge users to shift to Chrome by displaying warnings of potential security threats. The alert displayed by Google read that it "recommends switching to Chrome to use extensions securely". A developer at Edge revealed that the new Microsoft Edge is designed to effectively safeguard its users from malicious extensions, that said, Edge already had Windows Defender Smart Screen and Unwanted Application protection built-in.

Whenever a user visited the Chrome Web Store via the new Microsoft Edge, Google displayed a message in yellow at the top of the webpage recommending users to switch to Chrome in order to use extensions with added safety. However, seemingly, as soon as Google realized that greeting users with a warning message which clearly implied that Microsoft Edge is less secure of a browser is not making them look good, the tech giant softened and decided to take the alert down. Not only that, Google went a step ahead and replaced the previously displayed warning with a fresh one that tells users that now they can add extensions to Microsoft Edge from the Chrome Web Store.

However, still, officially only a few extensions are supported by Microsoft Edge as the installation of all these extensions for the first will seem to be a bit complex. Users need to enable 'allow extensions' from other stores via the settings page. On attempting to do that, Microsoft warns that it doesn't verify extensions downloaded from third-party stores and cautions that doing the same may cause performance issues in Edge. Then it suggests users get verified extensions from Microsoft Edge add-ons site. As soon as the users allow extensions by clicking on 'Allow', they will be able to add extensions to Edge from Chrome Web Store.

Google Chrome Extension, Shitcoin Wallet found stealing passwords and crypto-wallet keys


MyCrypto platform reported that Shitcoin Wallet, a Google Chrome extension was injecting JavaScript code on web pages, in order to steal passwords and keys from cryptocurrency wallets.


The extension, Shitcoin Wallet, Chrome extension ID: ckkgmccefffnbbalkmbbgebbojjogffn, was launched last month on December 9. With Shitcoin Wallet, users managed their Ether (ETH) coins, and Ethereum ERC20-based tokens -- tokens usually issued for ICOs (initial coin offerings) either from the browser or by installing a desktop app.

Malicious Behavior with the extension

Harry Denley, Director of Security at the MyCrypto platform, discovered that the chrome extension isn't what it promises to be. He found malicious code within the extension. In a blog, ZDNet reported that "According to Denley, the extension is dangerous to users in two ways. First, any funds (ETH coins and ERC0-based tokens) managed directly inside the extension are at risk.
Second, the extension also actively injects malicious JavaScript code when users navigate to five well-known and popular cryptocurrency management platforms. "

 Danley, said that the extension traffics all the keys on its system to a third party website at erc20wallet[.]tk.

 The malicious code works by the following process

1. The user installs the chrome extension Shitcoin Wallet.
2. The extension request permission to inject the malicious JavaScript code to 77 websites.
3. If the user navigates to any of these 77 websites, it injects an additional code.
4. The code activates on five websites: MyEtherWallet.com, Index. Market, Binance.org, NeoTracker.io, and Switcheo.exchange
5. After activation, the code saves the user's login credentials, keys, and other data then siphon it to a third party.

It is not constructively clear yet if the Shitcoin Wallet team is responsible for the malicious behavior or a third party infiltrated the extension. The Shitcoin Wallet team is silent on the allegations and has yet to give any comments on the matter.

Desktop App

Both 32-bit and 64-bit installers are available for the user to download on the extension's official website. VirusTotal, a website that aggregates the virus scanning engines of several antivirus software makers, showed that both versions were clean. But on a warning note, the desktop app may contain the code or something even worse.