Aishwarya Ramesh Nagarajan & Samuel Ogunlade - Enhancing Chrome Extension Security

presentation uh we have two outstanding presenters and they have done me the favor of letting me abbreviate their names we have aish and Sam from cloud flare and they will be speaking on enhancing Chrome extension security fortifying your browser experience with that thank you for joining us and welcome thank you thank you thank you very much for the introduction enhancing Chrome extension security fortifying your browser

experience problem hey everyone uh this is Aishwarya and uh this is Sam we work as security engineers at Clare and in the next 25 minutes uh we're going to basically talk through some research we did in Brussel security and uh we are going to basically cover a few things like what are some of the ways a malicious hacker can basically hack or get into your browser extension so slightly touching the offensive side of things and then trying to understand how do we defend or have security controls to to protect our browser extensions at Cloud flare so how do we onboard a new browser extension so things like that and last but not the least we are also

going to touch BS on what are some of the current challenges of the browser extension ecosystem uh with respect to security perspectives concern so if we going to cover this topic and with that being said let's get it started okay so browser extensions as an attack Vector um browser extensions aren't a new attack Vector I feel like we've all heard about this we've seen these kind of problems but what we're kind of noticing is that they're becoming more prevalent I'm just going to read a couple of these to you so Chrome extensions with 1 million installs hijacks targets browsers this Chrome extension lets hickers remotely seizure PC fake chat GPT Chrome browser extension caught hijacking Facebook

Facebook accounts that last one is from this year March of 2023 right so these attacks are happening we're seeing them they're becoming more prevalent and now the question just becomes like why are they so prevalent why are we seeing these happen so often so let's kind of get the first thing out of that there are 3.2 billion Chrome users right um that's not including your Firefox your Edge your other chromium browsers or anything of that sort and then if you bring Safari into it there's about 500 million Safari users so why does this become a problem the user and their laptop and their browsing history has kind of become a ubiquitous one inone thing we use our

browsers to search for our medical history use our browsers to search for dating sites we use our browsers to do financial data we use our browsers to do quite a lot of things that are we would really kind of consider personal insensitive and what that actually means is that these browsers and these extensions have access to things like your cookies your session tokens your passwords your form datas and like all these kind of request stes so now the question comes so we have 3.2 billion people using this it has all the Sens of information where's kind of the gotcha well we all know this like how many times have we had to update our Chrome

browser within the same week right these extensions are constantly being manipulated these extensions are constantly being breached and flawed there's a lot of flaws in the JavaScript library and so there are a bunch of known vulnerabilities in this space so when you have so many users a lot of private information and very easy flaws you kind of make a recipe for exploitation all right so we're going to dive dive dive deep into what exactly is a Chrome extension perfect so this is basically how a Chrome extension looks from inside so these are the different components of a a browser extension uh especially the Chrome extension here three main components as you can see uh the UI the user interface the storage

that's going to store all the user data the login the credentials the web transaction information so on and so forth and the main thing out of all the three uh is the is the middle one which contains the code itself the code that powers the browser extension to function so the programming logic is going to have Dom background scripts libraries and to if if you haven't heard about Dom Dom is basically going to be the uh the integrator the connector between the UI and the the code the background scripts the library so it's going to be sort of the integrator between the the uh the things that a user see on the interface to the code so that that that what Dom

does so we going to have that logic and we have the most important hero of the story manifest.json so what is manifest.json manifest.json is pretty much like a schema of a Chrome browser extension so this is a a very high level overview on how it looks uh and so what it actually does is basically manifest.json dictates the Chrome browser extension on how to operate who to talk to in case of a new connection gets established should I talk to this connection connection or if if if if say for example uh a new endpoint is basically giving a request should I connect to this or not so in a in a in a very easy nutshell for a

developer this acts like a firewall so it it basically instruct okay if this is from these X Y and Z end points connect to it talk to it communicate to it so so on and so forth so this makes this manifest.json file extremely critical uh from a security perspective so as you can see here uh the permissions the permission has like tab storage history so on and so forth so this actually says okay so these are the permissions the browser extension can have on the browser so this browser extension can access tabs history storage of the browser and same thing with the host permissions so HTTP example.com meaning okay if I receive a communication from

example.com I can talk to this web accessible resources it's going to contain all the static files that's going to be there so if I wanted to say for example from a browser extension perspective talk to an endpoint fetch a a static file then it's it's all the the the links are going to be here so one if the links are stated here the the browser extension is going to talk uh if not it's not going to talk so essentially manipulating manifest.json can actually manipulate the browser extension itself so this makes this an extremely crucial element uh from a security perspective so this is again just a sample uh further to Deep dive just to uh say like how this appears uh on a on

a browser extension so as you can see it says manifest version too so we have a version so the Manifest version is basically the version of the Chrome browser extension itself and so far for Chrome browser uh versions We have like three versions so far and we're going to go over that on the next slides then you can see the next things like okay what is the name description icons so what should I allow what should I block what permissions do I have to have from a browser browser extension standpoint on the browser background we have background scripts uh the code that is running and that's basically uh you know sort of dictating the browser extension

on when to operate so you can see the field call is persistent so persistent is equal to false meaning this is not going to run forever only if it goes to an endpoint it's going to run so that's that's kind of instructing that and we have the browser action that's going to say okay if it's going to be this point end point allow block so on and so forth so this is just an example that we wanted to show you uh just kind of give you an awareness on how this looks in real time okay so as we stated a little bit earlier there are about three versions version three coming out about a year

and a half ago excuse me so generally in the extension ecosystem it has matured and evolved over the years like I said we see it in versioning we're in verion three right now and we've had version one and two over the past 10 years each version tends to improve prove on the other so it's kind of like a cyclical V2 was created to solve problems that were found in V1 V3 was created to solve security problems that were found in V2 so each version tends to be either new security features or attempts to address issues that are found in previous forms I'm going to give you an example since we're currently in this V2 to V3 phase

one of the big issues that V2 brought out was something called background scripts right background scripts essentially allowed for arbitrary code execution on a remote host unrelated to the extension or the host that's running the extension itself right so allows me to talk to some other computer somewhere else pull down some information without any checks of balances we've seen how this goes that's bad it gets phone that's a known problem right another thing that kind of brought out is the web request API so in versions one and two they use something called the web request API and version three introduces something called declarative net what the real main difference here is that where with the web request of API

allowed for unfettered access for the Chrome browser so what that means is that in the communication the extension was always asked whether or not they wanted to modify this page whether or not this page had anything to do with the extension itself right so if I'm looking for a banking extension if I went to my social media sites it would ask me do I it would ask the extension do you want to know the information and things of that sort so declarative net changed that where only pre-listed domains and endpoints could be asked to do any work so essentially if you weren't pre-listed in your man FS Json file you were never going to be able to

work on that extension so that's kind of what go so Google has had a major part in the versioning with chromium and also Google plays another role with their web store right so the web store is kind of like the front face of where you're supposed to get your Chrome extensions right and I'm not going to go too much into detail about all of these things especially Google likes to keep their secret sauce right they don't really tell you exactly every security measure that they put in or what they do but we know a few things so a few easy things is like some basic permission checks essentially Google asks developers when they're listing their permissions do you

need access to all of these permissions there are things called continuous monitoring Google constantly checks to see the codebase if there are any changes to the codebase if anything neerish is happening Google also has things like their safe browsing their sandboxing and also just their typical AI ml for Behavior Analysis so Google tends to do a lot of different things to try to keep the web store safe right but as we know malicious actors always find ways around that and we're going to kind of detail some of those things we've seen perfect so uh we saw like how Google is trying to protect uh you know like they they're doing whatever they can but you know like malicious actors

as always they find a way to get in so what are some of the most common ways to exploit extensions awesome sight loading so this is actually one of the simplest but the most common form of uh uh you know like exploitation from our research so this is nothing but a user downloading or you know clicking a link downloading the extension from uh a third party rather than the official web store itself so say for example rather than a user downloading it from a Chrome web store uh which is the official thing for Google Chrome if the user basically you know like goes to a random web page and tries to click the link download that

information so from an attacker standpoint they constantly send all the malicious fake uh you know browser extension links uh in in mediums like telegram WhatsApp or maybe you know host a web page and and and trying to make the you know deceive the user to click the link or maybe you know like use some other form like fishing or something like that so this is one of the most common ways today on how uh you know browser extensions are are kind of being exploited awesome so if you are a developer then talking to an endpoint making your code talk to an endpoint to do some sort of a mic mro service say for example a billing service or

processing data so on and so forth it's going to be pretty common it's it's something that we always do and this slide actually talks about how a lot of developers uses already compromised endpoints to actually make a connection thereby exploiting you know the uh the browser extension and thereby exploiting the browser itself so this is one of the most common ways again so if you're a developer please make sure that you use the right you know endpoint and don't get into something uh that that looks fishy for for doing some sort of a microservice and this doesn't just stop here to be honest uh there are a lot of developer practices that you know like

uh developer needs to improve starting from how they manage their secrets to you know like do do they have do we have like least privileges are we just asking for the permissions that is required for the browser extension to perform its functionality or are we just like randomly asking the browser for all the permissions and trying to understand really what Google owns and what the developer owns I think this is extremely important because in case of a Chrome extension the developer is the person who's owning the code and the infrastructure so basically if you're going to update a package it's going to be the the developer if you're going to update the infrastructure it's going to

be the developer so understanding what Google owns and what the developer owns becomes extremely critical to make sure your your code is updated the packages the dependencies the libraries everything is updated and also with respect to account security is concerned so if you are a chrome developer or if you want to start developing Chrome all you need is a Google account for for a Chrome extension so account security is extremely important because if someone accesses your account they can access the code they can access everything behind it's it's like direct so making sure you have the first layer of difference with is which is authentication safe it's not a mandatory thing for a Google developer account to

have MFA which is unfortunate so you have to make sure you know like you have MFA you have the right password policies you have like all the write I am checks in place so that you are securing your account to the at most level you

canies okay so I want to talk about another common export we're seeing is abusing permissions right so we we have this this concept of lease purpose right but we actually don't really see this implemented in actual Chrome extensions I'm going to sit here and just highlight three kind of abuses we tend to see um one big thing is host permissions right so we talked about this a little bit earlier host perm allows you to determine which domains endpoints and extension which domains and endpoints that your extension will work on right so we've all kind of seen this star SL Star right where essentially it works on everything um I don't know if you guys have ever seen grammarly grammarly tends

to use something of this sort right so the extension is able to work on all web pages or it can do its thing on all web pages right so you got to ask yourself is that what is the extension is expected uh is the extension expected to work on all web pages or should it be limited to a specific set of web pages or limited to specific set of hosts right so that's one type of abuse permission we see another abuse permission we see is just naturally just having over permissive extensions right this one you see in this example has storage active tab cookies right this may not seem like a problem but the question is what is

this extension supposed to do is this extension only supposed to make things dark screen why does it need access to my cookies why does it need access to my stores right there are a lot of things and when you kind of get into what are the permissions there are a lot of Google permissions there's print pages there is copy clipboard there's copy read write clipboard there is active tabs there's page capture there are host of many different permissions that have their use in very specific conversations and specific use cases but you have always have to ask yourself is this extension does it need these permissions is this required is it using that leas privilege kind of concept and then

another last place we see a lot of abuse is in this rules and conditions section so the rules and conditions essentially just dictates what occurs when a rule or condition is met and these rules and conditions are generally like on a web on when you re met go to this web page or you go to this subdomain do these certain things or block these certain pages and generally when we see extensions that have excessive amount of rules It generally kind of speaks to a nefarious nature like it is interacting with too many page resources for what is expected of this extension so these are things we kind of just have to look out for another thing I brought up was just

the abuse of the web request API so here you can see on the screen it kind of explains this is what version two does so in version two you can see that it interacts with the extension on M almost every single call ask for when you're modifying request or after it's modified request so this is the original state of V1 V2 allowed the web request or allowed the extension to receive any information that was occurring on the page whether or not the extension needed to work on that page or had any task on that domain or on that endpoint what was introduced with V3 was declarative net so declarative net essentially said that you need to pre-list all domains and all

host that you plan on working on and if you are not on this list if Google cannot match you to a list or a domain on your manifest it will not provide any of that information any of that user data to the extension so why is this really important with V2 essentially a lot of extensions had the ability to siphon a lot of data a lot of users had no idea what pages they extensions were working on so they would navigate the web like they would usually do and these extensions would just siphon data pull cookies pull password pull form data for X YZ and purposes so that was a real big privacy concern so with V3 what they

introduced was a declarative net which was just another way of trying to lock down and only provide access to the extension when it's explicitly needed that information so we're going to kind of go into now how what we do at Cloud flare awesome so now now that we saw okay these are going to be the different ways on someone can exploit the extensions what sort of security measures do we have uh at Cloud flare to uh you know to make sure that uh uh you know like we are defending a lot of these attacks and if somebody wants to say for example add a new extension what are the different levels of Security checks that they need

to uh you know like uncover so at Cloud we believe in the concept of Defense in depth so we'll have multiple checks in multiple layers uh apart from using our own products uh like uh remote browser isolation product uh which is kind of uh isolates the browser extensions and the browser so even if the browser extension is hack or something like that it cannot access any data from the browser so apart from using our own products uh we believe in the concept of a multi-layered approach and the first layer of the multi-layered approach is basically deny by default uh so if someone if one of our employees uh try to install a browser extension to our browser or if

a developer is basically creating a new extension and if they are trying to onboard that extension it's going to be denied by default and they need to go in a few steps they need to come to the security team doing a few checks uh so that you know it gets approved so we're going to talk about uh what are the different checks uh that are done at Cloud flare to basically uh make the user um you know like uh onboard an extension so first as you can see here the user tries to install uh an extension to the browser deny by default it's not going to they're not going to be able to U you know like deploy it so

it's going to come to the security team so once it comes to the security team the security team is going to ask a few questions to the to the user so we we we are first trying to understand if this browser extension is needed in the first place so why do you need this extension is it like extremely critical it's is it directly proportional to your job the the work you do if not if it's going to be a fancy thing we say no so that's the first thing we check and the the next things would be okay so can if if it's already hosted on the web store do you have the web store link can you provide

us the extension link and do you need this running all the time or you know what sort of permissions will you allow uh this extension to run and moreover is it going to have any interaction with our production you know uh do you are you going to have a separate browser that's going to have this thing or or what is the thing so we we ask the user a bunch of questions first basic level questions trying to gge if if a browser extension is needed at the first place so let's say like they they give okay this is one of the most critical browser extensions we need they give the the legit leense and then we do uh all the

security checks we have multi-level Security checks the first check is the Privacy review so really trying to understand how data you know like plays on this whole aspect so say for example um so trying to understand you know like how our data is stored at in their databases what retention policies do they have if if they have a database in EU or somewhere else so do they have the right compliance in place because it's going to be our data so and what sort of data do they need from a user so all these different things uh the first privacy review and let's say like if they are going to intake our pii the uh you know like all the user pii

information if that's the case then we need to actually make them fill privacy questionnaires because we need that for compliance purposes so we we make them do that and we also understand hey do you need this uh thing to run all the time you know so understanding uh if it's going to be a background thing running so on and so forth so that's going to be the first level of check the second level of check is going to be the code analysis itself so trying to go over the code and checkbox all the application security side of things trying to actually understand what the Chrome extension does what are the different endpoints it is connecting to

where is the connection established so on and so forth so trying to check the you know like all the application security boxes in place so that's going to be the the the second level uh of check that we do uh as a security team and the third level is basically scanning their code base uh we do one scannings um and we kind of understand when is the code even last updated so if you if we actually we try to go and check the the code reposit repository to see if it's frequently updated and if it's updated before like 6 years or 8 years we'll be like no we we're not going to install this so one if if there

if the code repository is you know it's updated in in the in some of the latest times we go ahead you know and say and and and show a green flag so trying to understand those parts trying to understand what are the dependencies are they using any of the out unsupported or outdated libraries dependencies all these different checks are done in level three and level four is again I think if if if an extension passes level three it's almost done the level four is sort of like a final check on trying to understand okay so these are the different end points it's Comm communicating with these are the permissions this is going to have on the

browser are we okay with it so once all these four checks are done uh we will either approve it or deny it and if it's approved it's going to be allow listed on the on the browser and any person uh from the company can can use the browser extension so these are the multiple level checks we do at Cloud to to pretty much onboard every single extension that is being requested awesome so this is a very high level overview these are some of the other security uh things uh that we need to be aware of if you like an IT security admin so there is a page um on the the browser the Chrome browser uh

extension uh for admins where it shows you uh kind of a way to manage all the extensions you have at a company so make sure you have the side loading disabled because we already saw what side loading was side loading is basically going to be you know like anyone installing anything so make sure that is disabled extension Packaging is again so how the uh the extension is containerized and how it works so make sure the insecure packaging there are a few controls if you go in there these are some of the critical controls make sure deny by default is you know like it's it's enabled so that uh you know like uh so that nobody can basically you know like

um when they try to install it's going to be deny by default all right so we're just going to wrap up here with some of the things that we know that's kind of missing in the ecosystem right so there are very few dedicated browser extension tools um they're very few most of the time we are using open source for peace mailing as you can see we kind of have a process that we put a lot of things together and we kind of solve that problem together so that's something that's really missing and even when you kind of even more missing is when you think about the threat Intel uh there's a lot of thread Intel for you know bad links malicious

malware and things of that sort but there's like I mean there's no thread Intel for a popped uh Chrome extension right unless you're like you're just randomly like reading that that article that came through right so that kind of reads into the next thing like in security we we're just we're very reactive right we are always kind of chasing after militias we're chasing after these threats we're chasing after these ioc's and we don't really try to have a proactive measure or we don't really kind of think of like what can we do ahead of time to deny certain things so that like if this bad link come through or whatever this extension has no activity within our within our

ecosystem right so just thinking in a more proactive nature and then let's talk about this V3 came out about almost two years ago V2 hasn't even been deprecated V2 isn't going to be deprecated for several months if even that so what does that mean all the V2 flaws are still out there right the background scripts are still out there the web request stuff is still out there this is a problem that's going to be here for a foreseeable future it's not being fixed just by V3 and then when V3 comes there's going to be a V4 and there's going to be problems to solved there right so that fragmentation problem is always going to be there and

something that we kind of have to think about and there finally like Chrome extensions is just code right it's just HTML it's just CSS and it's JavaScript right so it uses packages just like any any other code reposit AS so that means that it's just a susceptible to supply chain attacks right if any one of these other packages for tear down gets popped or something that Cascades the way whole way through right so where kind of just leave this with like there's a lot to do in browser security um I think it is an area that needs a little bit more Focus we're really focused on the fishing and we're focused on the malare but I think

with this is an area that's kind of just doesn't get as much visibility even though it's something that users use daily all the time right like extensions are almost ubiquitous with our day-to-day life right so um there's just a lot to work on here I'm pretty excited about that to see that um I'm G to open the floor to any questions oh

I think they're going to just um the declarative net API even though it has some great things a lot of it was built specific spefically for the ad blockers where ad blockers are required to put in the domains that they expect to block which just it isn't feasible right so that I think that's a more political thing with Google I think that that's their choice I think some ad blockers have found other ways to work around that and I think they're going to keep innovating ways to work around that because ad blocking is it's crucial for the the day-to-day user it

Department Compu but because the browser settings requ administrative access change Windows

Department to scenario so we're not a window shop we a Mac shop I think a lot of our tools come from that we're a Google workspace um you users so a lot of those Google things are built in our users log into the Chrome browser so a lot of our Solutions work because our users log into a cloud for Own Chrome browser of that sort so we can use our own group policies and things of that sort so in the space outside of that it's kind of a unknown we know that users can pull up and open their own personal browsers and they're open to whatever their extensions they want so you kind of have

to have some other security measure kind of there's that that that knowledge based and I don't know it's it's a hard problem to solve to be hon it's like they there you you solve things in Chrome and then they just move to Firefox you solve things in Firefox they move to the next thing so yeah or maybe if you use uh our product you can you can be safe like the remote browser isolation you C CR

excavator

open

right now we've we've kind of gone with a manual approach um we'd love to see some tools and see some things out there it's it's there's I think there's some things you kind of hear in small Pockets but like it hasn't gained traction and we haven't really tried it so we we we kind of throw bodies at it