Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Chrome Extensions. Show all posts

The Impact of Google’s Manifest V3 on Chrome Extensions

 

Google’s Manifest V3 rules have generated a lot of discussion, primarily because users fear it will make ad blockers, such as Ublock Origin, obsolete. This concern stems from the fact that Ublock Origin is heavily used and has been affected by these changes. However, it’s crucial to understand that these new rules don’t outright disable ad blockers, though they may impact some functionality. The purpose of Manifest V3 is to enhance the security and privacy of Chrome extensions. A significant part of this is limiting remote code execution within extensions, a measure meant to prevent malicious activities that could lead to data breaches. 

This stems from incidents like DataSpii, where extensions harvested sensitive user data including tax returns and financial information. Google’s Manifest V3 aims to prevent such vulnerabilities by introducing stricter regulations on the code that can be used within extensions. For developers, this means adapting to new APIs, notably the WebRequest API, which has been altered to restrict certain network activities that extensions used to perform. While these changes are designed to increase user security, they require extension developers to modify how their tools work. Ad blockers like Ublock Origin can still function, but some users may need to manually enable or adjust settings to get them working effectively under Manifest V3. 

Although many users believe that the update is intended to undermine ad blockers—especially since Google’s main revenue comes from ads—the truth is more nuanced. Google maintains that the changes are intended to bolster security, though skepticism remains high. Users are still able to use ad blockers such as Ublock Origin or switch to alternatives like Ublock Lite, which complies with the new regulations. Additionally, users can choose other browsers like Firefox that do not have the same restrictions and can still run extensions under their older, more flexible frameworks. While Manifest V3 introduces hurdles, it doesn’t spell the end for ad blockers. The changes force developers to ensure that their tools follow stricter security protocols, but this could ultimately lead to safer browsing experiences. 

If some extensions stop working, alternatives or updates are available to address the gaps. For now, users can continue to enjoy ad-free browsing with the right tools and settings, though they should remain vigilant in managing and updating their extensions. To further protect themselves, users are advised to explore additional options such as using privacy-focused extensions like Privacy Badger or Ghostery. For more tech-savvy individuals, setting up hardware-based ad-blocking solutions like Pi-Hole can offer more comprehensive protection. A virtual private network (VPN) with built-in ad-blocking capabilities is another effective solution. Ultimately, while Manifest V3 may introduce limitations, it’s far from the end of ad-blocking extensions. 

Developers are adapting, and users still have a variety of tools to block intrusive ads and enhance their browsing experience. Keeping ad blockers up to date and understanding how to manage extensions is key to ensuring a smooth transition into Google’s new extension framework.

CyberCartel: Latest Banking Trojan Threat in Chrome Extensions


In recent years, Latin America (LATAM) has become a favourite target for threat actors, especially those attacking financial organizations. The recent report by Security Intelligence titled "Unveiling the Latest Banking Threats in LATAM," explains the changing scenario of banking Trojans in the region. This blog covers important findings and results of the report, showing the sophisticated techniques used by threat actors and the immediate need for advanced cybersecurity measures.

Malicious Chrome Extension Rising

The top trend concerning the report is the rise in campaigns that involve Chrome extensions. The extensions, often masked as genuine tools, are made to hack into users' browsers and do various activities. After installing, threat actors can hack login credentials, take screenshots, and deploy malicious scripts into web pages. The report stresses that these extensions are specifically dangerous as they can evade traditional security checks and stay hidden for longer periods.

CyberCartel and its Role

The report also sheds light on the notorious activities of the cybercriminal group known as CyberCartel. The group has been associated with various high-profile attacks on financial organizations and government officials in LATAM. CyberCartel works via the Malware-as-a-Service (MaaS) model, offering other threat actors the tools and infrastructure needed to launch sophisticated attacks. This has allowed amateur cybercriminals to give access and contribute to the frequency and severity of attacks.

Attacking High-Profile Entities

CyberCartel's main targets are high-profile entities like government offices and financial institutions. These forms are lucrative targets because of the sensitive info they manage and the possible financial gain for threat actors. The report mentions various incidents where CyberCartel successfully hacked these organizations, causing reputational and financial damage. The group's potential to adjust and develop its techniques makes it a dangerous adversary for cybersecurity experts.

Advanced Tactics and Techniques

One sophisticated technique is using social engineering to fool users into installing malicious software. Cybercriminals make believable phishing emails and fake websites that impersonate genuine institutions. Hackers access their accounts and launch fraudulent transactions once users are tricked into giving their credentials.

Another sophisticated technique is using polymorphic malware, infamous for changing its code to escape detection by antivirus software. This kind of malware is difficult to address as it requires consistent updates to security systems to keep up with changing threat scenarios. 

Chrome Extensions That Record Keystrokes and Steal Personal Data Should be Avoided

 


Using their Zimperium zLabs research department, Zimperium researchers have discovered a malicious browser extension, dubbed Cloud9. This extension is designed to steal private and sensitive user information and to completely take over the victim's computer. 

Cloud9 is very unnerving because it steals data directly from your computer by monitoring your keystrokes (i.e. keylogging). Cybercriminals would delight in spying on victims' web browser activity since spying can be done through web browsers. After all, it is while you are browsing the web that you are more likely to input highly sought-after credentials, including your bank passwords and other sensitive information. 

Even though you are browsing the web during the time that you are more likely to input highly sought-after credentials, such as your bank passwords or other sensitive information, it is very easy to enter these credentials while you are online. 

In terms of Cloud9, what information do we have? 

As its name suggests, Cloud9 is a botnet that operates as a remote access trojan (RAT) because of the operation method employed. It was found that there were two different versions of Cloud9 that were encountered by researchers: the original and an improved version. The investigators focused their attention in the report, however, on the latter because it "contains all of the functionalities of both variants" according to the report. 

• This type of software runs on a computer to track your keystrokes to steal your credit card information, bank passwords, and more. 

• Using the clipboard, steal your data that was copied and pasted (e.g., you copied it and pasted it). 

• To compromise the user's session, steal your cookies and use them to do so. 

• Cryptocurrencies can be mined using the resources of your browser and computer.

• By inserting malicious code into your device, you will be able to take full control of it.

• From your PC, you can perform DDoS attacks against other websites. 

• A pop-up or an advertisement can be injected into the page. 

The Zimperium zLabs team claims that although Cloud9 is a malicious browser plugin, it cannot be found in any official repository for browser extensions (e.g. Chrome Web Store), despite it being a known malware on the internet. Researchers have found that Cloud9 has been masquerading as an Adobe Flash Player update on malicious websites more frequently than not, according to the research. 

What is the history of Cloud9 and where did it come from? 

A malware group called Keksec was connected to Cloud9 by the investigators to trace its origin. There have been many attacks targeted by this group that has been associated with mining-related malware, said Zimperium zLabs researchers. 

It seems as though the Cloud9 botnet is currently being sold for a few hundred dollars or for free on several hacker forums throughout the world. A report from the company warned that this malware was not targeting a specific type of group. To exploit as much valuable information as possible from all users, cyber criminals target all users to maximize their profits from their exploits. 

In a report released by Zimperium, it was said that because traditional endpoint security solutions do not monitor this vector of attack, browsers are susceptible. However, Cloud9 should remain a distant threat as long as you do not side-load extensions from malicious websites into your browser or use fraudulent executables that originate from malicious websites.

Remove These Malicious Chrome Extensions With 1 Million Downloads

 


An extension for your browser can enhance your online experience in several ways. Translations, conversions, spellchecking, shopping, and blocking popup ads are some of the services they can assist you with. You can customize your browsing experience using these extensions, and you may even be able to alter the way websites are displayed. There are several popular extensions available for Chrome, but the dark mode is an example.

It is imperative to remember that not all extensions are safe. By giving them access to such information, such as your personal information, you are giving them a lot of power. 

Although some extensions store this data for convenience, others use it to track you or launch a cyberattack against your computer. A malicious Chrome extension was recently reported to have been downloaded 1.4 million times since it first appeared on our site.

The cybersecurity firm Guardio Labs reports that a newly discovered malicious advertising campaign has been discovered in which Chrome extensions are used to hijack web searches and embed affiliate links into any other websites you visit.

The company's security researchers have dubbed this advertising campaign "Dormant Colors" since all of the malicious extensions in question offer color customization options for Chrome, which makes them the right candidate for being dubbed a malicious advertising campaign. However, the extensions themselves do not include malicious code when installed. This is how they were able to bypass Google’s security checks and end up on the Chrome Web Store in the first place. 

Extensions for Google Chrome - Dormant Colors

Following a thorough investigation into this matter by Guardiothis campaign use ad, it was found that there were thirty different versions of these malicious browser extensions available on both the Chrome and Edge web stores with more than a million installations altogether. They have been removed from both web stores, as we mentioned before, but just in case, here is a complete list of all the products that have been removed:

• Action Colors 
• Power Colors 
• Nino Colors 
• More Styles 
• Super Colors 
• Mix Colors 
• Mega Colors 
• Get colors 
• What color 
• Single Color 
• Colors scale 
• Style flex 
• Background Colors 
• More styles 
• Change Color 
• Dood Colors 
• Refresh color 
• Imginfo 
• WebPage Colors 
• Hex colors 
• Soft view 
• Border colors 
• Colors mode 
• Xer Colors 

 Explanation of how to remove Chrome extensions manually 

There are several malicious extensions listed below that have since been removed, but you may need to manually remove them by clicking on the three dots menu at the top right-hand corner of your Chrome browser to remove them permanently. Upon clicking 'More', you will be taken to the More tools section where you will be able to access Extensions.

Making money by hijacking your browser to make money from clicks on the ads 

The cybercriminals behind this campaign use ads and redirects to trick unsuspecting users into installing their malicious extensions. This is done when they visit sites that offer the opportunity to play videos or download files. This is done so that they can then go one step further and download malicious extensions. 

There are two sites where you can watch videos or download programs. However, when you click the videos or download programs link, you are redirected to another site that requires you to add an extension before you can continue. It is quite likely that you will be prompted to install a color-changing extension when you click either the 'OK' button or the 'Continue' button. This extension initially seems harmless on the surface. 

The problem with these extensions is that once installed, their purpose is to redirect users to pages that redirect them to malicious scripts that side-load malicious scripts that show how to perform search hijacking for the extensions, but also that tell the extensions what sites affiliate links can be inserted on to generate affiliate revenue. The creator of these malicious extensions earns a lot of money from these advertisements, which are sold to third parties for profit, which is known as search data. 

It is also possible to use these Dormant Colors extensions for automatic redirects to the same page with affiliate links added to the URL of each page instead of redirecting users to an entirely different page. Whenever anyone purchases an extension on any of these sites, the developers of such an extension will receive a commission for their work. 

Guardia, in a blog post, tells that the malicious extension campaign may have the potential to spread further over the coming weeks. "As this campaign continues to run, it is shifting domains, generating a wide assortment of extensions, and re-inventing several color-and-style-changing functions you are sure to be able to do without."

It is also worth mentioning that the code injection technique analyzed here provides the mitigation and evasion measures necessary to contribute to further malicious activities in the future, especially since it is a huge infrastructure for mitigation and evasion. 

The most effective way to keep your browser from getting infected by malicious extensions 

The most appropriate time to make sure you have an effective antivirus solution installed on your laptop or PC is before you add any additions to your browser, especially if you plan on adding any new extensions to it. In this way, you will be able to protect yourself against malware infection or having your personal information stolen and misused. 

Additionally, when you install any extensions, be sure to only use trusted sources, such as the Chrome Web Store or the Microsoft Edge Add-ons store, as these are both reliable sources. The fact that malicious extensions do slip through the cracks from time to time does not change the fact that you are still safer when you install browser extensions from an official store rather than from the web.

Additionally, you should always ask yourself whether or not you need an extension before downloading it. Do you need it, or do you just want to use it? When you come across an extension that seems too good to be true, then you can be certain that it is and is not worth downloading. In addition to checking the extensions in your browser regularly, you might also want to consider adding new ones. 

You need to regularly take a look at the extensions you have installed in your browser and make sure they are still relevant. Delete any of these that you no longer need. Also, keep an eye out for any new ones you may not have noticed you have added without your knowledge. Using browser extensions, you can add all kinds of new features and options to your browser that are not available in its built-in functionality. 

Google Chrome Extensions can be Employed to Track Your Online Activity

 

A web developer going by the alias ‘z0ccc’ has created a website that can generate a unique online tracking fingerprint based on Chrome extensions installed on the visiting browser. 

The methodology is primarily based on securing the extensions’ web-accessible resources, a type of file within the extension’s infrastructure that web pages can access. The file can consequently be employed to detect installed extensions and create a fingerprint of a visiting user based on the combination of installed extensions. 

The procedure was previously demonstrated in 2019, but the website has only recently been designed. Some extensions can bypass detection by using secret tokens required to access their web resources, but there is novel” resource timing comparison” technique to detect if an extension is installed on the endpoint or not. 

"Resources of protected extensions will take longer to fetch than resources of extensions that are not installed,” z0ccc explained on the project’s GitHub page. “By comparing the timing differences, you can accurately determine if the protected extensions are installed." 

To illustrate this fingerprinting technique, the web developer designed an Extension Fingerprints website that will examine a visitor's browser for the existence of web-accessible resources in 1,170 popular extensions available on the Google Chrome Web Store. 

The methodology also operates with extensions installed from the Chrome Web Store in Chromium browsers, such as Microsoft Edge. It can spot Edge extensions from Microsoft’s dedicated store, but z0ccc’s website doesn’t support this feature. 

Interestingly, the technique doesn’t work for Firefox extensions as the browser extension IDs are unique for every browser instance, making the web-accessible resources URL impossible to identify by third parties. 

To restrict fingerprinting via browser extension detection, Chrome users can limit the number of extensions they install on their Chrome and Chromium browsers. Installing more extensions and in unique combinations increases the risk of having multiple tracking hash, which facilitates fingerprinting.

"This is definitely a viable option for fingerprinting users," z0ccc explained in the blog post. "Especially using the 'fetching web accessible resources' method. If this is combined with other user data (like user agents, timezones etc.) users could be very easily identified."

Research Reveals More Than 2000 Chrome Extensions Disabled Security Headers

 

Tens of thousands of Google Chrome extensions accessible from the official Chrome Online Store manipulate security headers on major websites, posing the danger of web attacks for visitors. 

Although the security headers are little known, they are a vital aspect of the present internet ecosystem. A key component of website security is the HTTP security header. When implemented, it protects users against the kinds of attacks most probably happening on the website. These headers protect XSS, injection code, clickjacking, etc. 

In many other cases, as per the research team, they examined CSP and other security headers, deactivated Chrome extensions “to introduce additional seemingly benign functionalities on the visited web page,” and didn't even look like it was nefarious in purpose. That is because Chrome's framework forces extensions in the name of security to do that, paradoxically. Standard extension code could access the DOM page, but no scripts on the page can interact. 

If a user has access to the website, the browser requests the webpage of a server. While websites per se are presented through HTML, JavaScript, and CSS code, website owners can direct the browser to handle the provided material in various ways by adding additional parameters in the HTTP connection header. 

While not all websites have security headers, many of today's leading Web services commonly incorporate them to protect their customers against attacks, as they frequently face more web-based attacks than conventional sites, because of their larger size. 

Although website managers are configuring their security headers, this does not mean that security headers are still in existence at the client-side where such things can be detected and prevented by attackers with a mid-range attack scheme, malware executing on an operating system, or browser extensions. 

Researchers at the CISPA Helmholtz Centre stated that they were trying to evaluate the number of Chrome extensions that have been damaged by the security for the first time headers. 

The research team has studied 186,434 Chrome extensions, which were accessible last year on the official Chrome Web Store, using a custom infrastructure they particularly developed for the research. 

Their analysis discovered that 2,485 extensions intercepted and altered at least one safety header used by the most famous today's Top 100 websites. The study focused on the four most prevalent safety headers: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame Options, and X-Content-Type Options. 

While 2485 extensions had disabled at least one, researchers found that 553 were deactivated by all 4 safety headers studied during their investigation. 

CSP, a security header created to enable site owners to regulate what internet resources a page can charge inside a browser as well as a standard defense to prevent websites and browsers from XSS and dataset injections, was the most widely blocked header for security concerns.

Malicious Operations Hide Under The Google Chrome Sync Feature

 

Lately, the threat actors have detected a technique where they can use the sync feature of Google Chrome to transmit commands and steal data from infected systems, circumvent conventional firewalls and other network protections to infected browsers. Chrome sync is a Chrome browser feature that stores copies of a Chrome user's bookmarks, browsing history, browser passwords, and extension settings on Google's cloud servers. This function is used to synchronize the aforementioned data with various devices of a user so that the user still has access to his new Chrome information everywhere. 

On Thursday 4th of January, Bojan Zdrnja, a Croatian security researcher, shared his discovery, wherein a malicious Chrome extension exploited the Chrome sync as a way to connect with a remote command and control (C&C) server and to exfiltrate the details from compromised browsers during the latest incident reaction. 

In addition, Zdrnja added that the attackers had gotten access to a victim's device during the incident he investigated, however, because the data they tried to steal was inside the worker's portal, therefore they downloaded Chrome extension on the user’s system and loaded it in Developer's Mode. It included malicious code that abused Chrome's synchronized functionality to allow attackers to monitor the infected browser, which was used as a security add-on by security company Forcepoint. 

Zdrnja claimed that the purpose of this unique attack was to use the extension to "manipulate data in an internal web application that the victim had access to." 

"While they also wanted to extend their access, they actually limited activities on this workstation to those related to web applications, which explains why they dropped only the malicious Chrome extension, and not any other binaries," Zdrnja stated in a report. 

"In order to set, read or delete these keys, all the attacker has to do is log in with the same account to Google, in another Chrome browser (and this can be a throwaway account), and they can communicate with the Chrome browser in the victim's network by abusing Google's infrastructure," he added, wherein data stored in the key field could be anything. For instance, data obtained from the infected browser may be malicious extensions or commands the attacker desires to run the extension at an infected workstation (for example, usernames, passwords, cryptographic keys, or more).

Although the stolen content or corresponding commands are transmitted via Chrome's infrastructure, no process can be inspected or blocked in the majority of corporate networks, which are normally authorized to run and transfer data unimpeded by the Chrome browser. 

The researcher recommended businesses to use Chrome company and community decision assistance to block and monitor the plugins that could be installed on a browser, prohibiting rogue extensions, such as the one he investigated, from being installed.

Attention! Fake Extensions on the Chrome Web Store Again!


Reportedly, Google was in the news about having removed 49 Chrome extensions from its browser’s store for robbing crypto-wallet credentials. What’s more, after that, there surfaced an additional set of password-swiping “extensions” aka “add-ons”, which are up for download even now.

Per sources, the allegedly corrupt add-ons exist on the browser store disguised as authentic crypto-wallet extensions. These absolutely uncertified add-ons invite people to fill in their credentials so as to make siphoning off them easy and the digital money accessible.

Reports mention that the security researchers have affirmative information as to 8 of the 11 fake add-ons impersonating legitimate crypto-wallet software being removed including "Jaxx Ledger, KeyKeep, and MetaMask." A list of “extension identifiers” which was reported to Google was also provided.

Per researchers, there was a lack of vigilance by the Google Web Store because it apparently sanctions phisher-made extensions without giving the issue the attention it demands. Another thing that is disturbing for the researchers is that these extensions had premium ad space and are the first thing a user sees while searching.

According to sources, much like the Google Play Store with malicious apps, the Google Web Store had been facing difficulty in guarding itself against mal-actors. There also hadn’t been much of a response from their team about the issue.

One solution that was most talked about was that Google should at the least put into effect mechanisms in the Chrome Web Store that automatically impose trademark restrictions for the store and the ad platforms in it.

Per sources, Google’s Chrome Web Store “developer agreement” bars developers from violating intellectual property rights and also clearly mentions “Google is not obligated to monitor the products or their content”. Reports mention that as per the ad policy of Google, it could review trademarks complaints from trademarks holders only when it has received a complaint.

Google heeding all the hue and cry about the extensions did herald more restrictions with the motive of wiping away traces of any fake extensions and spammers creating bad quality extensions that were causing people trouble.

The alterations in the policy will block the spammers and developers from swarming the store with similar extensions and elements with questionable behavior. Word has it that because of hateful comments the Chrome Web Store was “locked down” in January.

But, as promising as it may be, allegedly Google has been making such promises about the Chrome Web Store security strengthening for more than half a decade. So no one can blame researchers for their skepticism.

"CursedChrome", a chrome extension used by hackers to make your browser into a proxy


Security researchers have found a Chrome extension that turns Chrome browsers in proxy bots that enables the hacker to browse chrome using an infected identity.
This tool was created by Matthew Bryan, a security researcher, he named it "Cursed Chrome" and released it on GitHub as an open-source project.

 The software works on two fronts and has two parts -

  • a client-side component (this is the chrome extension) 
  • a server-side counterpart ( this is where all CursedChrome server report) 
Once this extension is installed, it can be used to log into the CursedChrome control panel, and through it, the hacker can use any infected browser. Thus, the hacker can navigate and browse the net using that identity and can even access logged in sessions and credentials.

This extension is the icing on the cake for hackers and has been received with skepticism. Many at the cybersecurity community have raised their eyebrows at the public release of such software saying it's nothing short of handing a gun to a killer to do the killing. 

Created for Pen-testing

The creator, Matthew Bryant says that his intentions were quite innocent. "I open-sourced the code because I want other professional red teamers and pen-testers to be able to accurately simulate the 'malicious browser-extension' scenario," says Bryant in a statement.

He opens sourced the code so that it would help security companies to test their walls and keep the miscreants out. "Open-sourcing tooling is important for red teams (security companies) for the same reasons as any other job: it saves time for the teams at different companies from having to rewrite everything whenever they do a red team or pentest. It's actually doubly important for us because pen-testers and red teamers work on extremely tight timelines," Bryant said.

Bryant says that it's very easy to built an extension like CursedChrome for a hacker and his only intention was to bring awareness that extensions like these that we very easily install in our system can be equal to paving way for hackers.

 "It's [...] important to raise awareness of just what level of access you're granting when you install a random extension for your browser," Bryant said in a mail to ZDnet.

He hopes that security companies can show the dangers of Chrome extensions through CursedChrome and build a stronger security system.

Bryant also gives a solution that blocks all extensions that could harm the user's security. He released a second project, named Chrome Galvanizer on GitHub (this too, open-source).