Silens Pacem – A Silent Peace

and I'm my car here's what we're gonna talk about a little bit Who am I what are extensions why care and sort of tool release a little bit about me I graduated from Rochester Institute of Technology with a degree in computing security back in 2013 and I am a sponsorship coordinator so that's why the last talk I'll get the slides from him and be able to determine how best to disseminate that to everybody best fashion according to everybody I think it might either be through the website or through a common Dropbox or something not exactly Dropbox to put some source along with the videos just a little bit of history of extensions you know extensions are something that you know

that can be used to modify the behavior or add some features to the browser you know its current browser share of chrome having the majority of people just using it so that's why I decide to focus on chrome this is got 55 percent of the market also as I show there that chrome released in 2009 but Firefox and Internet Explorer and then now Safari is gonna start having browser extensions so it's not just one browser it's starting to become more pervasive obviously not on the phones but on the laptops and desktop platforms so I'm like err well I've seen some Stanford and MIT studies have shown that the extensions are over privileged like they I think it was a

majority of the top 100 extensions have been given to men too much privilege and the the past at least and I know they're getting a little better the security model did not do enough to protect the users to mitigate things such as cross-site scripting and necessarily stealing data and some thing that we've started to see now particularly over the last compared to the past few years that I've been looking at this is that we started to see that these extensions have become targets you know you see these examples of you know say adblock plus literally that was like last week or the 37,000 people downloaded adblock plus so I think all they did was literally just put under the same name

so I mean it's if you can't tell that it's under the same name then how you gonna tell is secure it is you know we had the Cisco on WebEx remote command execution no they did a great job with that they fixed it like right away so something like that would be really great they're a great example that where if they find something wrong with it you fix it I actually use WebEx and that extension in my work so and you know you've got the last two which are people really hijacking the developers which is a different route hijacking the extensions rather than going after the extensions themselves but hijacking developers is they've got developer

accounts so you've got some industry efforts Google is now putting out more security features and tools to help users basically be able to make that decision of what they can do to analyze and look at those extensions but they're really new that I just looked at just saw this a few days ago and you have some enterprise tools that are great if you're an enterprise but they're necessary sometimes more focused on the app side of it they'll also plug in with your Google Drive environment and other Google features such as slides and Excel to be able to look for things such as social security numbers or maybe credit card numbers but not necessarily focused towards extensions in extensions

themselves that don't use the Google environment and a little bit about the tool it was written in Python and it takes an extension that they user installs reviews the code and assigns a score to some of the manifest options and the manifest is just the table of contents and basically says this is what is going to be done and it does this because when a user installs a Chrome extension it copies all the resources to their desktop so it's not pulling anything from Google it's just one Macbeth sure it's not the only thing that it is is that they're coming from the Google store and you're running it in Chrome but that's it and this doesn't and this is not meant

to be a tool that like does anything bad for the app developers as well it's just giving us the users an opportunity to look at what is being used okay and here's some of the important security related features that we would look at now and would want to look at going forward the permissions the content security policy are two things that I definitely take a look at right now because our it would say most important I'll show you why in a minute a background the scripts that run in the background sometimes know it's really unknown what happens well and when they run they can run in the beginning before the page is loaded after the page is

loaded or while it's loading so it's really interesting as well as content scripts as well so they're JavaScript files that run in the web page so they can do almost anything as well so and I say that the permissions earlier these permissions will not provide a prompt so if you're gonna install a Chrome extension it will not tell you that is looking at your cookies okay and it will not tell you that is looking at your webs web browsing history that's what the web requests and the web request blocking are they're basically allowing the extension to look at all the websites you visit and edit them in flight so essentially it could be looking at your cookies and all your

browsing history without you ever knowing it so in theory yes this is this is straight from the chrome chrome store Chrome's website Google website yeah this is a copy/paste that's why this is what my what it looks like when I write it this is a screen grab right from the Google web site so yeah an interesting find that I had was on from cami HQ I am NOT say anything bad about this but just to back on the theme of like look what you can find when you're just looking at things this is a great tool that is used to edit your PDFs but it has access so like the your file to a file share well I have

seen need YouTube video access if you're editing PDFs like I don't know why and also a billing software I can understand that you want it to tie in but it has two different billing softwares and some file sharing I'm like okay that's a little bit odd to me and over on the left over here the mouse is over here you see all the different permissions that it has and requests access to so it requests access to some of that web request and web blocking which I mentioned earlier are not going to be notified so you're not going to get it's not going to tell you that it's accessing it because here it says it's gonna visit but not edit it so yeah I'll

show you a demo but on what it is ascetic it downloads it and on the it there just if you guys look at the files for Chrome on your machine it will have downloaded in in those locations and you can simply go in there and look at the manifest.json file and then literally going go through this and the code isn't anything special some something else that I found some other interesting finds was remember I mentioned the cisco webex vulnerability a while ago yeah they have since to fix the issue that the issue and what I'm about to say is but when it right as it came out there was no content security policy so you

theoretically had a cross-site scripting vulnerability that had no restrictions on it so but they have since fixed it going forward I would like to analyze those content scripts and background scripts as well as the URLs that the system pulls in the content security policy gives explicit access to what it can pull data from but I currently don't have the capacity to analyze it right now a little give a little demo here so yeah I've got tool right here run it we're gonna look at kami I don't know why just easy so I type in the gooood which is the ID of the extension I've already installed it on my machine just to save some time and no need to see me

literally hit three buttons to say I want to install this but there it's going through it it's saying this is version 2.0 dot nine one six five it's gonna review in the background and content scripts and as you can see here it's got a result text file and let's see how it's changed in the last little bit it looks like it also accesses your Google Drive so that's interesting it still looks like it still looks like they're accessing all those websites that guys into what they're resourcing and what they're calling from so that content security policy is literally it like almost like a whitelist to what resources just calling from so those are a lot of resources and you could sort of

see here it's 14 websites to different sources sources like a guy for what sources is calling from there's like object sources image sources and there's like script sources so it only has two restrictions on two of those one unsafe coding practice which is the unsafe eval and it calls from itself twice so and here's a little score on it I assign scores for zero being the strictest and one calling from itself and three for unsafe evals and unsafe used to zip code so they gave me the score of sixteen point five and instead I was wanting to look at websites I sort of gave it some options for initial scope scoring all I did was

I added up the score and divided by the number of items so sixteen point five which is considerable considering that you've got a large number of resources as well as a ws bucket in there who knows what that AWS bucket is doing because it's an extension you don't really have access into what it is doing so and permissions I mentioned earlier I have each permission as well as a number this is just an example for what I think that they're worth you guys can change them in the code and then what they actually do a description so for those people for those if you need to explain it to somebody else it's an easy explanation as right there I

took it took everything like a total risk and divided it so the average score is 1.75 which is medium because I did it from 1 to 3 on one is low to is medium 3 is high I apologize for the small text there I was trying to read it I I'm gonna make this available I'm not sure if I like the name of silence pack them yet I just sometimes I have trouble coming up with names for things so but I'm gonna make it available I'm gonna up I mentioned besides PGX and I'll make it available to the public going forward so other any questions

you