CRX Examiner

Hello. Hello. Welcome back. Hopefully you all were able to find something so you don't slowly starve to death. If not good luck. Uh, our next speaker, I should be looking at Hacker Tracker so I don't improv all this. Our next speaker is going to be Mark Eluri. And, uh, they have a bio this time, so I'm going to read it. Uh, Mark started as an offensive security consultant doing penetration testing and code and design reviews. Mark then expanded his skill set into the defensive side, leading cyber sec leading cyber security at various organizations and industry including gaming, fintech and biometrics. Mark is a conference speaker, holds security certifications and was an instructor at Can I read

that? Should I not be censoring that? Okay. Holds sec uh an instructor at Columbia University cyber security boot camp for over four years. Mark is now director of security engineering at Movable, Inc. And I turn it over to you. Thank you. Thank you. Um, thanks. So, last September I I uh released this tool to analyze Chrome extensions. Um, we'll cover the tool, but first I wanted to show you why I care about Chrome extensions and why I find them interesting. So, this is what the tool looks like. It's just like you paste a Chrome extension ID and it'll analyze it. We'll we'll get into that in a bit. But first, so when I was a

pentester, we mostly tested web applications and um one of the things you find in web applications is cross-ite scripting XSS, right? And so that's that means you're you're running JavaScript in the context of of a browser. That's usually a high severity finding. We we like to be able to run JavaScript in someone's browser. You can do a lot with that. Um, so fast forward a few years, I was working on on the I I moved into security engineering. I'm on the blue side and one of our developers um was showing me something on GitHub. Um, that was around eight years ago and his GitHub had dark mode, but back then GitHub didn't have dark mode. And I'm

like, how how do you have dark mode on GitHub? And he's like, Chrome extension, bro. and and I was like, "Oh, cool." But then it clicked that wait, should you be giving a Chrome extension or allowing a Chrome extension to run within the context of your GitHub? Because for for it to add dark mode, it means it needs to be able to to read the data on the website and inject its own CSS or JavaScript. So, it clicked like, huh, something seems weird here. And recently there's been um oh so that was like just one of many actual um Chrome extensions that add dark mode which now you don't even need but they're still there. Um so recently

there's been a few stories about Chrome extensions. The the first one is with the Honey extension. So they were basically just like swapping the affiliate code with their own to to just make money. Um, and that got people thinking like, huh, that like Chrome extensions can actually do a lot like they can tamper data within your browser. And we we I mean we do everything within our browsers like banking like what everything's all our emails are on our browsers for I mean if you use Gmail there was another recent incident. This one was in December. Um, so CyberHaven is a DLP tool data loss protection. It's basically like corporate spyware to make sure that your

employees aren't stealing data or emailing 10,000 social security numbers. So, the way this one works is they they had a Chrome extension and and so they the Chrome extension got compromised. How? So, they got this fishing email, very convincing fishing email that said like, "Hey, you need to to go and and update your Chrome extension otherwise we're we're going to remove it from the store." And, you know, they're a vendor, so they they don't want that to happen. And so they they looked and and it was this was the fishing page that they got and it was a legitimate Google oath page where you give the attacker access to your Chrome extension. So it wasn't on a

malicious domain, it was actually by Google. And it's it's really hard to spot, but this is actually giving the attacker full access admin to your Chrome extension. And so the attackers injected their own their own script uh into that Chrome extension. and the Chrome extension had access to do everything on all websites. So what would you do if you could do everything anything on any website? Um in this case they they chose to steal Facebook business accounts the session cookies to to do ad fraud. Um which fine I guess. Um I mean that's the ad ad fraud is a whole industry by itself but there's there's so much you can do if you have access to

someone's browser. So recently I actually saw this article I think like yesterday or two days before someone wrote a um who was it I think that yeah pulse dive there's an article on pulse dive um really cool article around this info stealer which so imagine like you you download malware the malware it's an exe can run anything on your machine okay and given that the malware can run anything on your machine what they chose to do was to sil sideloadad a chrome extension into your browser because like running malware like running AC isn't even like like being able to to run a Chrome extension is even more powerful because now you have like full cont like the

context is is a browser and so you can do so much and and so the permissions Chrome extension had was a list here. So Chrome extensions have permissions when you install them. there's scoped to certain things you can run in the browser and technically when when you're installing the Chrome extension you're you're giving it those permissions. So if you Google um just like Chrome extension permissions there's the blog um like the documentation lists all the permissions and what they're capable of. And so for example, this malicious Chrome extension had so many like tabs for example, if you have access tabs, you can like screenshot and read all of the other tabs in the browser. There's

like system memory, system.sto display. So it can basically take like screenshots of of what you're browsing storage like cookies. cookies here also like I think last time I checked uh you know we say like oh cookies should have the HTTP only and secure flag so that if someone have but Chrome extension has access to your cookies either way like like it has access to every local storage as well. So you bypass some some um um security mechanisms here uh when you when you can run within the browser directly. So there's many Chrome extensions in general like this is one example of like replacing the word systemd with butts. Um, and some of them have have user. I mean, this one, this

one specifically was made by Jesse Friselle. We love Jesse Friselle, but this was made like 10 years ago and it's still on the on the store. You can still download it. Um, it might have actually just changed with manifest v2 to v3, but anyway, the idea is like there's many like old extensions still up there. So, what what exactly is a Chrome extension? So, it's basically a zip file. So when when you want to download the Chrome extension, you you go to the web store and when you click add, it downloads something called a CRX3 file or a CRX file and that's basically um it has a custom header with like an RSA publicly public key and a

signature, but then it's just a zip file. So you can just like unzip it and it has the JavaScript in there. Um this is what the like you know the the file um hex looks like and and Chrome. So, Chromium is an open source version of of Chrome and and you can in the code for Chromium, you can see all the details of the CRX file header and and everything there. So, when you want to download a a Chrome extension, when you go to the web store, this is the URL of a Chrome extension in the web store. For example, this is add block plus. And you see um the last part of the URL is the Chrome

extension ID. Okay? So, when you download a Chrome extension, the folder name will be the ID. And same thing with my tool. When you want to scan a Chrome extension, you just paste the ID and that's what it's going to scan. Um, and if you want to download the CRX file yourself, then you can also just access this URL, paste the the Chrome extension ID, um, and it'll download it. Um, one kind of annoying thing is Chrome wants you to give them your your pro the pro the version of Chrome in the URL. If it's too out of date, it doesn't let you download it anymore, but something to keep in mind. So once you download it and you

basically unzip the the the CRX file, um these are generally the file contents or like at least something similar. And so you'll see like basically like a JavaScript folder and and and and JavaScript files in there. And an interesting file is that last one uh the manifest.json. [Music] So, if I want to analyze Chrome extensions and what what they do, where do I start? And usually the manifest.json is the best place to start because that's where the permissions of of the Chrome extensions are defined. And here's an example of of a simple one. So, this is the manifest v2. Um, so Google just um switched from manifest v2, which is the older versions, they were a bit simpler, to

manifest v3. And like allegedly it's like you have more granular permissions and you can't load external JavaScript, but uh we were just talking like it's really just because they want to block ad blockers so they make more ad money. Anyway, the the simple um oh you can barely see it here. I I'll I'll zoom in in a bit, but basically it's just a JSON blob and it defines like what script can run on which websites. Um you can list a bunch of URLs to be like, "Okay, I only want my script to run on these websites." But sometimes you can basically do like starstar, meaning your your JavaScript can run on all websites. Um, here's slightly more

zoomed in, but this is like the the the part where it gives permissions and it just lists the permissions of the Chrome extension there. So, if I want to analyze a Chrome extension, you basically download the CRX, unzip it, look at the manifest, and you parse it, and you see like what's, you know, what permissions does it have, and where do the do these permissions run? Um, and this is the example of like it's it's showing you like this JavaScript should run at in this case it just on all websites, all protocol, all websites, all all URLs. So I learned that when you say the words Chrome extension security, this man will start talking to you like he

basically John Tuckner, he's he's a really really cool guy, knows a lot about um um Chrome extensions. And so um when I was making my tool, I we basically got in touch and and so he he's actually making a similar tool. So my tool is open- source tool that made for like just degenerates like you like anyone can can use it like like doesn't whereas he's making he's making an enterprise version um that's more for like monitoring at the enterprise level. But we started talking and and so um he showed me that there's actually a marketplace for you to to sell your Chrome extension. And so like imagine you're like a 16-year-old, you made a Chrome extension and suddenly

got like 100,000 viewers, but you don't really give a about it. It's like, "Okay, what do I do with it now? I'm bored." And someone's like, "Oh, well, I'll pay you money for your for you to give me your Chrome extension." So he showed me this marketplace. I'm like, "Okay, I mean, in theory, it's so cool. Does does it actually work? can you actually buy access to someone's Chrome extension? And so he he tried it. He he found this one Chrome extension that had declarative network request so it can like temper network requests on everything on all websites. And he sent them an email. He's like, "Hey, I want to buy your your Chrome extension." And

they're like, "What's your budget?" And he's like, initially they they like thought like $50. And then they he tried to pay the person, but then it payment wasn't going through. And the guy was like, "Just it's it's okay. you can just have my Chrome extension. So, he just gave him the Chrome extension for free and transferred ownership and now now John Tuckner owned this Chrome extension. He was the admin and so he could just push code on to all of the browsers basically that were running this Chrome extension that had it installed. And so he did that. So I I installed it to test and and he um basically redirected Secure Annex's website. He he made a thing where it if

you're visiting this website, it redirects to this YouTube video. Does anyone know what this is? Yeah. Yeah. Did you memorize the the URL? Many people memorize the URL. That's how you become immune to Rick rolling. Although there's alter alultimate alternate URLs you can but just to show you I should be on the Wi-Fi here like like this is the Chrome extension. You might note I am on Brave here. Brave is Chromiumbased. So you can still install Chrome extensions from the store. And so I have it installed and if I go to secureanex.com um it's yeah it it it plays. Um so so and here this is just a proof of concept. He could have redirect

anything. He could he could have I mean he very easy alternative is just redirect me to a fishing page and you know it's in my browser so I'm not going to um yeah this is when the Chrome extensions was approved and published. And then there there's like, you know, recently someone tweeted that they acquire they bought a Chrome extension that had 400,000 viewers. And I mean, this guy was was proud enough to tweet about it, but you can imagine many people don't have to broadcast that information. So yeah, you you can buy access to Chrome extensions that have excessive permissions and now you can you own many people's browsers. my tool. So I I wanted a way to analyze

Chrome extensions. Does anyone remember there used to be CR excavator? Um I used to use that. It was maintained by Duo but it kind of got abandoned and so wasn't working for a while and so I just wanted to make my own. So I I I wrote it in Ruby on Rails and I deployed it on on Heroku and um so this is a demo just in case there wasn't internet but I think we might depending on how much time we have we might play around with it first. But basically how it works is this is the the um main page. You paste an extension ID and it basically does the steps where it downloads it, you know, extracts the

manifest, analyzes it and then displays the results. I'll I'll explain the results in a second. It shows you first some ratings, the security details, what hardcoded URLs on there. It shows you the full manifest. Um, and I wanted to add a few things like eventually I might integrate with John Tuckner's secure annex to pull some more data from from him. Um, but that's that's the main idea. So, um, yeah, the main page. So, when you scan a Chrome extension there there's a banner first and this is just scrap scraping the Chrome web store for basic information. Chrome is actually the hardest to to part because like the other web stores like for Edge or um Firefox, they just

give you the manifest from the URL directly. You don't have to like extract it or scrape their web store, but Chrome doesn't do that. Anyway, so the bottom part, and I'll explain in a second, but there's actually two different ratings. Like I had the bottom one first, but I kind of wanted more. I'll explain in a sec. So, so it gives you like like some like some findings like the security tool does based on the permissions it detects. Um, the details tab lists the permissions again, um, what hosts can it can run on. And then I did a quick GP to to just extract hard-coded URLs from all of the files in the in the um, CRX um,

and just list them here. And then you have the manifest itself. Um, so and the manifest, if you zoom in, like again, as we saw, it permiss and the URLs it can run on. Uh, and so there's a separate tab of my tool called statistics. I'm still kind of working on that. I want to add some like pie charts and stuff, but so far I I released the tool around like September or October and and I just like organically like like kept it on the internet and and because it's a web app, anyone can use it. And so every day I have a few people just scan a few more extensions and so far I have around

1,700 uh extensions scanned um of varying risk levels, but we'll talk about risk levels a little bit at the end. There's also a Twitter bot just I mean I mostly made it for me to see like a sign of life from from whenever someone scans although um the Twitter API the free version only has up to 17 messages per day so it might reach that but anyway I learned that when you make a security tool um one of the challenges is the just their risk ratings ranking risk accurately is kind of hard because when I first released the tool, many things were just listed as critical severity because the reality is like many Chrome extensions just have

excessive permissions. So, a lot of things were listed as as critical severity and that's not very useful. If if your tool lists every single thing as as high or critical, then I don't even need to scan because I'm just going to assume everything's going to be critical. So, what's the point of even scanning something? So that was the first challenge I ran into like like everything critical not very useful. So one example is is privacy badger made by the EFF which I I do trust and so it it does you know at a service level when I first scanned it was like oh high severity it has a lot of permissions but actually when you

look into it like it it's it's reputable it's like scoped to certain domains it's done in a reasonable way so it shouldn't really be high severity and and so what I did was I split into two. So the the bottom part was like just traditional of like it it scans it looks for a few things and based on your permissions it has different findings and then it aggre like it it counts like if you have more than like let's say seven high severity like findings in your chrome extension then it lists the overall risk rating as like critical but I wanted more so so at the top I'm using anthropic API the cloud API and I basically send it all of the

information I got from the Chrome extens extension, the manifest, my own findings. I send it to Claude and I'm like, "Hey, like like this is a Chrome extension. Um, you know, this is all of the information I have on it. Like what do you think?" And I and I said like consider also like like if you know who built this Chrome extension, just consider the reputation of the of the vendor or the you know, the reputation of the developer and like you know, consider how many downloads it has and and like you know, everything. And so now now I I keep my original analysis and then it also has its own and basically that's kind of like if you

want to give information to like an analyst that not might not be very technical you can just like paste this blob. Um like one of the recommendations always says like you consider running it in a separate Chrome profile because that like separates um so you know it isolates it to a specific Chrome profile. Um, and for example, for the in their case of the EFF um, plugin, Privacy Badger, it it ranks it as low, which I think is is reasonable. And, um, so I mentioned I had around 1,700 um, Chrome extensions scanned and I I looked at the I pulled all of the the the data and and um, you know, analyze it. And so

um, the light blue color is the original ranking. Um, and the purple one is the AI or you know anthropic APIs is rankings. And so did it work? I mean, I don't know. The like the the biggest difference is that there's much less critical findings. So, so, so it significantly reduced the number of like ones um ranked as critical, but most of them it just ranked them as high instead. So, there's way more high severity ones now. Um, yeah, I'm still not sure about this. So, I mean, if you have feedback, let me know. Um, I mean, I want the tool to be useful, but it it's it's just like kind of hard to to rank things. And so,

that's why I kind of just um um give you all of the context as as a user where it it shows you all of the findings, it shows you both rankings, and it's kind of up to you. Like, it depends on the context, right? which is I guess the right way to to approach any any security findings is like depends who's you who's using is it your CFO is it something that they really need you know um so it's up to you so yeah the tool is at crxaminerte you can use it now it's real app if it breaks I guess let me know maybe um I might fix it maybe um cool yeah that's it I mean we can we

can do a quick demo maybe um does anyone have a Chrome extension they want to scan. Or I guess I can just show you if I go into the statistics tab here. Um so it shows you here the list of um um recently scanned Chrome extensions like someone scanned this one today. Um by default the list is only the last 10, but I think eventually I might expand this and add some charts. But um so let's go into a random one. Um this is critical. So just like let's see what what it is. And so, um, you can click here and it takes you to the Chrome web store if you want. Um, it says when it was last scanned. And I

think I I did a thing where it if it's if it was last scanned more than 48 hours ago, you can force a rescan just so it pulls a more recent version. And then you can see here like the the AI based ranking and then my my own findings. And then you can see some of the other data. Um, yeah. So, play around with it. Let me know what you think I mean I'm happy to hear feedback and see how I can improve it. Um um oh the last thing I'll say is so CRX is for um Chrome and and Chromium based browsers. Um Edge also uses CRX as a file format but has a completely

different store. Um Firefox and Safari use different file formats. I think it's the same concept where it's like kind of like a compressed archive of JavaScript. But um eventually I'll probably start supporting other um um extension stores for other browsers, but so far it is just for Chrome. Um yeah, that's all I have for today. Thank you.

We have like two minutes for for questions. Yeah. So the and your friend elevated the permission step. Didn't it ask he used it to read? Yeah, that that's a great question. So So he didn't elevate the permissions because the permissions were already there. So that that's why he he picked this one. So there wasn't a permission change. And so from my end, the the owner did change the owner of the Chrome extension, but uh Chrome doesn't notify you as as an end user. Like there was no indication that the owner of this Chrome extension changed. Um so from my end completely invisible which is kind of like a scary part I think on on his tool secure annex

he he added a thing where he uh real-time monitors for ownership changes and he can notify you um that's a cool um thing question was I know they extension capabilities there but I heard there's pages you can go to basically extension interactions to do that. Have you seen anything like that? No, I'm not I'm not sure. You mean like in the Chrome settings you can reenable it? Not Chrome settings. It's like created HTML page. Oh,

right. But make HTML page and it interactions. extensions that that sounds very interesting. No, I don't know. Yeah, that's Yeah, it's cool to look into. Yeah. Um, yeah, one more question I think and then we'll probably have to move outside. Yeah, go ahead. Have you thought about doing a manual analysis of your AI results? I wonder.

Yeah. Yeah. Um I haven't really like the vast majority it just downgraded from critical to high. There was a couple interestingly that it it upgraded from like low to high for like it was like no this is actually sketchier than it than it seems. But um I haven't done it just because it takes a lot of effort to look into every single one. Also the a lot of Chrome extensions are like very similar. Um we were just talking earlier like like for a developer usually if you're new to developing Chrome extensions you're like oh let me just like give it all the permissions while I make it because it's just easier. Um and so you

realize like a lot of Chrome extensions ask for the same set of permissions or like excessive permissions. And so then like how do you know if if it's uh legitimate or not or like if it actually needs them or not? You have to like really dig into every single one. Um it just takes too much effort. Um all right, if you have more questions um happy to take them outside. Thank you. [Applause]