Malicious Chrome extensions are bad. But what about nice ones that can be hijacked? This new tool spots them

DoubleX static analyzer is doubleplusgood

Security researchers from Germany's CISPA Helmholtz Center for Information Security have developed software to help identify Chrome extensions that are vulnerable to exploitation by malicious webpages and other extensions.

Back in 2018, Google announced plans to redesign its browser extension platform to make it more secure. Under its old platform rules, known as Manifest v2, Chrome extensions had broad powers that could easily be misused.

And many miscreants have abused those powers. In February 2020, for example, Google removed more than 500 malicious extensions. That was a month after Google closed its Chrome Web Store to new extensions to fight payment fraud. There were more removals in April and May 2020, this time related to extensions designed to steal crypto-wallet credentials. There were other such incidents in June and December 2020. And this sort of thing has been going on for years.

Alongside its efforts to cleanse the Chrome Web Store, for the past three years Google has been developing Manifest v3, a revised set of extension APIs that offer more limited capabilities, to the detriment of content blocking and privacy tools but with less dangerous security and privacy pitfalls.

Google began accepting Manifest v3 extensions for review in January, 2021. Nonetheless, its more modern extensions are not vulnerability-free and the older Manifest v2 extensions still circulate.

CISPA Helmholtz boffins Aurore Fass, Dolière Francis Somé, Michael Backes, and Ben Stock took it upon themselves to develop a tool called DoubleX to help deal with the situation.

They describe their efforts in a paper [PDF] titled, "DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale," which is featured in the Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, a virtual event held scheduled for next week in South Korea.

Malicious extensions, they say, represent only a fraction of the extensions that present security and privacy concerns.

Benign extensions, meanwhile, may contain insecure code that can be exploited by other extensions installed by the user, or by malicious webpages visited by the user, to run malicious scripts where they shouldn't, exfiltrate data, trigger downloads, and more. It's these harmless-but-exploitable extensions that DoubleX looks for.

DoubleX is an open source static analyzer that's designed to flag vulnerable data flows. It's not, in other words, just for finding malicious extensions; it looks for exploitable data paths, which may exist even in well-intentioned or otherwise benign add-ons.

How might these flaws be exploited? Well, the inclusion of an eval function, the researchers explain, means an attacker could potentially take advantage of the vulnerable extension's permissions. And an extension containing tabs.executeScript, which injects JavaScript, offers the possibility of executing arbitrary code in every web page without a vulnerability in the page itself.

When DoubleX was fed a large number of Chrome applications, it did indeed find some problems, though perhaps fewer than one might expect given the Chrome Web Store's inglorious history.

"We analyzed 154,484 Chrome extensions, 278 of which we flagged as having externally controllable data flows or exfiltrating sensitive user information," the paper says. "For those, we could verify that 89 per cent of the data flows can be influenced by an attacker, which highlights DoubleX precision."

"In addition, we detected 184 extensions (with 209 vulnerabilities) that are exploitable under our threat model, leading to, e.g., arbitrary code execution in any website."

These 184 extensions affect between 2.4 million and 2.9 million users, with 172 susceptible to a web attacker and 12 exploitable through another unprivileged extension.

From October 2020 through May 2021, the boffins say they dutifully disclosed their findings to developers, if they could find contact information, and to Google in other cases. As of July 2021, they claim, 45 of 48 vulnerable extensions reported were still in the Chrome Web Store.

"Of those, 13 have been updated since our disclosure, but only five have been fixed (300k+ users, 50k+ users, 3k+ users, 2k+ users, and 35 users)," the paper says.

The Register asked Google for comment but we've not heard back. ®

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021