BSidesSF 2020 - Chrome Extension Risks and You (Chris Barcellos • Abhi Kafle)

thanks to everyone for attending this session and please welcome Christopher and Abby thanks thanks everyone thanks for coming to our talk today ever talk about Chrome extension risks and you my name is Chris Barcelos I work on the lift red team and I break into systems and help teams fix issues hello everyone my name is Abby I work in the product security team at lift and I was actually more of a red teamer because these social engineered a red teamer into doing an on red team project so today we're gonna cover so the background of how we came upon this project I'm gonna go through a few of the risks that Chrome extensions can can you hear me

now sure alright it's alright ok thanks alright so we're talking about the background of how we got here we'll cover some of the risks of Chrome extensions and we're also gonna cover sort of our plan and approach that we took to mitigate these problems so Wow originally there was some red team work done at lyft and we noticed Chrome extensions installed on different users machines that we weren't quite too fond of and that sort of morphed into how do we fix this at scale so this is a challenge for most companies you know you have a lot of users used to doing things a certain way that you're gonna change it you're gonna take away their

ability to install things that can cause some sort of friction so you want to sort of get long-term support from leadership and sort of have a good system for maintainability and you know easy easy ease of use so some of the popular risky extensions that we ran across looking through our user base was these three sort of areas I sort of we called out directly as a bunch more that are out there but in these cases the first one is tools that do sort of productivity help and they they'll ask access to they will ask for access to the users calendar and extensions sorry the calendar and email and also sharing this data with third power

another one is going to be grammar and spell check tools these things will need to have access to all pages to read and change the page and also in a few cases they actually say what the users are editing or asking for help on to their third-party servers which is a risk because it could be saving things like you know secure documents that you don't want outside of the company with these free tools that are basically ID moat potentially selling the data for for-profit another area is promo extensions these are sometimes installed maliciously and sometimes by the users these can be used for things like getting coupons or promos on different different web sites but sometimes these

tools can do things like add tracking palletizing phishing malware and and things like that and these are very very common there's millions of installs on these this is an article that came out last year and it covered a group of extensions that were found to be exfiltrating user history and then selling them the actual research was called beta Spy and I'm sorry called ov into what the the tool did and sort of how it was malicious when the tool first installed it and do anything it took about three weeks and then it was sort of download a secondary payload where it would then base64 encrypt your history and then ship it off to a third party

site and then it would be set up on a number site where it was sold to people who wanted to sort of you know find out what users were browsing to this is a list of extensions that was brought up in this research but the one that would call out here is hover zoom this is a tool that was used for basically you put your mouse over an image zooms it out to a larger size and even though that was a small amount of work that it needed to do it asked for a bunch of permissions to do the malicious actions at a set out for on this one here this came out so we

can have to go it's very recent there was a researcher who worked with duo through the CR excavator system found a number of extensions that were bad they found out eventually that this was affecting millions of users and Google eventually found those 500 in total extensions that were doing this malicious work these extensions were doing things like redirecting to malware sites phishing stealing histories again and once this was found and brought out and released they had removed all of these malicious --tx extensions from the Chrome Web Store this isn't you might be aware of when you install an extension it shows you which permissions it needs in this one the extension is a new tab picture

but it asks for access to different sites including the Google domain and also the ability to read your history and manage your apps and extensions this is an example of what a manifest JSON looks like this is a file it's within it within an extension these these are all of the requests it has for the chrome API tabs is for from a security point of view it's one of the things it can do is pulled out the sites that each tab is on so if you basically get your history web request is an API that can be used to sort of capture requests as of leaving the browser manipulate them change them that could be redirecting users to

malicious sites blocking is mostly probably used for on for ad blocking this URL here is for the pattern for all sites and all URLs cookies that's gonna be all of your users sessions the history is just calling out directly the history that the extension needs well one more thing about history this can be a pretty big concern for most companies because the parameters in I could get requests for example it might have PII within them it could be pulling out password reset links and then data being sold off to third parties there's been cases where these things have been indexed in Google and have had problems but in here it's the browser pulling it out and then

reselling it we did a very unscientific sample study of the Chrome Web Store we could have written a scraper but we thought we might hit some write limits so instead we just went to the Chrome Web Store page scroll down for about two minutes and then pars the page for extension IDs we've got about 8,000 IDs and then we ran those against the seer excavator report tool which we'll talk about in a second and this is sort of a breakdown of what those 8,000 extensions requested so some concerning things they so this is the tool that we used do OC excavator it's very useful for getting idea of what your extensions are doing and also

what the users have installed it has three parts there's a CI excavator gatherer this is a tool that's that extension you force install or a push install it into your users browsers and then it reports back to the site and it gives you the ability to sort of collect what's currently running in your users machines the admin console an API that's gonna give you a UI to see what users have installed and also do some configuration the the API is a fully featured it can pull anything you need from from the data that's in there and a common one that we did was you give an email address as a parameter and you get a list of the extension IDs that the

user has you can also request extension reports and get the numbers from those and that's the third part so extension reporting they've created a risk sort of system where there's points applied for different different things and there's an example of a now remove malicious extension report you get multiple versions so you quickly see it let's change between versions you can view the source you can also see how many ratings and installs they have and based on those numbers it can give you different risk course you can kind of see like is this a popular extension as it have low ratings have only ten people installed it there's a privacy policy things like that it also will show you a list of the

permissions that are there and this is just part straight out of the manifest JSON but they also gave you the risk scores as well so you kind of see you know what is this assumption asking for and how serious is it so those are a couple of the concerns that you might have a different extensions we only covered three different areas but there's a lot of other ones out there that you might run into at your companies you know those extensions that are built for doing things with github I might give access to your source code if those were leaked your your PMS could be using tools to do project management and all miles elite like private

projects abuse third parties but this will die a little bit more to that in a second so sometimes when you install extensions the first thing the extension does it asked for an auth grant and in this case a unnamed extension which does email productivity so sometimes people want to be more productive so they install an extension and they give access to all the data that their account has to this extension so the extensions can do things like read all of the emails of the user they can send emails they can delete emails and do other things in this case it also had access to your contacts you can read them edit them delete them in some cases

we've seen them have access to even Google Cloud Project stuff including like you access to your infrastructure but you know this is pretty concerning to us we wouldn't want our contacts calendars or org charts being exfiltrated to free extensions so something that most people don't read because you know they may want to have an extension they want to have it installed right away they're not going to read all the privacy policies they just want to hit a button and then have a cat show up in a new tab it's sort of like they're you know it's fast like I push that button get it installed I don't care but if you would if you actually read

the privacy policy which we did in a few cases just to have a better understanding of what these tools actually did we talked about how they share your data how they disclose it and who they disclose it to so even if this free extension that you're not paying for is a great company and it secures everything no that's nothing to say that they don't get exploited and breached and then your data is compromised but then when you look at what they're sharing it with the third parties those companies can also be breached or be potentially malicious there's also times when companies will have sort of loose agreements with other companies like they can say that we sell things or we

share things with our affiliates and you know we shake hands and now we're affiliated so I'm gonna share all your data with my friend here thank you and we're always sure like legally what that means but it's concerning because it's your company's data and these fully free tools have access to it so you know we wouldn't want someone to share your PII with outsiders so jumping to the plan so sorry for that now that we have talked about all the problems with Chrome extensions let's briefly talk about what's our plan for addressing them so I wanna on a high level what that looks like is you know this was presented here we start with gaining and

improving visibility it's means like you can't fix what you can't see so you started with how can we how can we see what your users are using and yet and you know exploring more into that we define what's an acceptable risk for our enterprise and create a policy out of it the next step is actually enforcing that policy and and after that iterating on it based on input from stakeholders all of this while reducing support and operations cost because we are also working on streamlining the software users across the company when we do this so this was our this was what I what we had in mind initially and obviously the first step is improving visibility in

our against that mean that meant getting all the Chrome browsers into management how do we see all the all the configs all the extensions that the users has in their in their individual browsers if you have if you have g-suit and if you have Chrome OS devices you're lucky all of them are managed by default otherwise you would probably need to use some sort of endpoint management tool it can be easy if you're using Windows environment damn if you're using Mac environment to push out a policy and that will bring the like you know that can be used to bring all the browsers in your your fleet to management that will also let you gain visibility into what extensions

your users have installed this is a sort of a sample architecture for the the whole workflow like we just talked about you know if we have G suite environment you bring all them into visibility using one of the methods that we talked about earlier we pass all of that data into CR excavator which is two that Chris talked about earlier which gives you a risk snapshot for each individual extensions that you have installed in your company the data from C our excavator is then passed into some custom automates in the way that we build in-house the automation is two part the first part is cartography for those of you who do not know about cartography it's an open-source project

by lift that essentially lets you visualize your infrastructure as scraps and we open sourced a module for C our excavator this year and you know which lets you import all the data we use cartography because it lets us see the risk attribution so which orgs within the company have highest amount of risk so you can go ahead and tackle them in the first place it also gives you an ability to see the risk over time so like how many unique installs your users have at this point of time and how much risk in videos like that kind of questions can be answered by cartography the other piece of automation was around getting the workflow smooth like you

know is there if there's going to be a request and review workflow can we give enough information for reviewer to make the decision as quickly as possible can we make it easier for the user to time into the process so all that information goes to your workflow - it can be 0 or it can be anything I won't agree you know there's a caveat with this whole process that you don't have a direct API for extension management engine suite so you have to go through a bunch of Hoops to to accomplish this this is sort of a blueprint of how we actually reduce the risk for our Chrome extensions this was the earlier slide present an overall

architecture this had - this is actual approach to reducing the overall risk within our company we obviously collected list of extensions that we had within the company after increasing visibility of course in gaining visibility into the entire company and then you know we we had this policy of you know what is an acceptable risk for us and we also to categorize them based on whether or not they had a business justification for for keeping them whether or not IT had contracts with the vendor whether or not we have some kind of data privacy agreement with the vendors in place we also looked at the risk score coming out of C our excavator tool that Chris

mentioned earlier and we recommended a list we went to the some of the teams that are high-risk and you know give them gave them all that all the details we had like how much support and operations cost can we reduce reduce with this thing how house you know software can be streamlined with this project how much risk can be reduced with this project and all sort of details that you know of the ins and outs of the project and then we partner with the teams we get leadership approval for the worst case scenario you know in case in case there's a revote and we we just don't want to get the leaders in on board but also the entire

company and we want everybody to feel like the part of the process so you know we give out comps early and often and let people have a say so we have any automated the review process like I mentioned earlier you know the from installation request to automatically declining the requests that have already been reviewed and disapproved we are we automatically decline them so that it dramatically reduces the operational cost associated with this so if some fall through the cracks and come from comfort manual review we want to make the process ads as smooth as possible for reviewer with with the run box with the risk category Jason and you know so in general we want to make decision

making process easier for the reviewer if there is if there is a need so what does that look like for our individual user so if you're a user and trying to install in extensions that has not been approved or that doesn't have a business use case you know and you're visiting Chrome App Store you would see a pop-up like this which we would ask users to provide business justification for the for the particular extension that they're trying to install and you know it comes back to the reviewer with all the information they need to make the decision including business justification we can we close this tickets tickets out if the extensions has already been removed and

and whether or not you know certain risk threshold are made but that might be different from company to company and and we we implemented this policy across you know initially we implemented this on thousand plus employees within our company and we're able to reduce the number of unique from extensions by about 95% this is in a very operational state which requires some legwork initially but the the operational overhead is very little now we barely spend you know a few hours and even lesser than that maintaining this so this is not this is the approach that we took but this is not the approach that you have to take there are some different approaches that you can take

for accomplishing the same thing that is reduction of risk that's that's stemming from Chrome extensions so some of those approaches you know are listed here so the first approach is disapproved domains that means you can create a list of domains that you think are sensitive and you can block the extensions to to be able to run in them which means you can let users install whatever they want but you have to create you have to create a list of domains that you you know that you find sensitive in your environment and just not let the extensions run on them the other approach is disapproved permissions which means you let users install whatever they want but the extension

cannot ask for certain kind of permission so if the extension asked for some kind of permission one minute what may install and on the device or you can follow the approach that we took you know approving or blocking extensions each of these approaches have its own caveats you know like for example for disapproving permissions we felt we felt like the D permissions that we can block from the list of permission that we can block wasn't comprehensive enough for us so if we want to say you know we just want to block every extension that has a certain permission you know it we couldn't find it on on the on the available list of offsets also I'm

on an environment where you have a lot of sass tools or different tools that might contain sensitive data keeping a list of disapproved domains might not be very feasible so based on what kind of you know needs and requirements and risk appetite you have you can use one of these approaches to to reduce the risk so to briefly summarize what we talked about Chrome extensions have a lot of unknown risks you know that have not been reviewed in-depth particularly in an enterprise like ours we know we had to uncover we uncovered a lot of issues and then we had to dig down on what the risks from these extensions are and there there is a path forward there's a

path forward to reduce all of these risks and you can decide on what method to take based on what your risk appetite is and what fits best for you obviously this would not be this cannot be accomplished without support from your teams and leadership so we were you know the way we did it was partnering with individual teams and getting their leaders and team members to buy in there are some of the helpful links that we referenced in our talk today the stock will probably be uploaded to resize websites so you might get a handle of this later unless we have any questions

thank you [Applause]