Sneaky Extensions: The MV3 Escape Artists | Jeswin Mathai and Albin Antony

managing the back infrastructure uh and uh I published my research work at multiple conferences defon us Ator to joining squarex I was part of pest academy by anding my time a lot of uh students around the globe Asia through con and more I'm also the author of PWS Pro and next we have Alvin uh so myself Alvin so I primarily work as a developer with squarex and my role generally involves like working on our bdr solution and all the front end stuff basically yeah so what exactly are extension extension are meant to extend the functionality of the browser to make it easy as simple as you know for example grammarly I hope everyone would be using

grammarly for better drafting of email what not and

exion squarex is a security solution that is supposed to go on the browser and provide you on that and we ourselves decided that we have to be aows but if you tell someone that install a software to provide better protection bar is a bit when it comes to extension single click install the moment you install it now you have the permission to see what's happening on the attack are they know that the customers as well as Enterprises will have a solution or an antivirus running and now this antivirus un take a look at what's happening on the and due to which if you have a malicious extension that can sniff off the credential anytime you're entering your

password or take it and send it to back and they have to any a calls there is no server at as long as what doing they good and they can go ahead serve malicious ad do quite a lot of things so if you take a look at the extensions all big players such as again password everyone is again is so to install and while we were running Square what happened was over 20 plus attackers have reached out to us to purchase our extension what ends up happening is a lot of developers will be monitoring which are the popular extension on Chrome Store and then they'll try to reach out to the developer and lot of these guys would be

doing you knower

under they might end up selling their extension to an adap now in the next version of the extension there will be malicious code that is in and all of those devices already have the browser extension running so the upgrade is pretty and users aren even competent for anything unless the extension is asking for more Privileges and this way the users of an extension base will be served with let's say advertisement they having a side for as as their credential might get stolen so to provide some numbers right so uh Poes published that over 280 million extension installed happen within the course of three years that is 28 million people were impacted and due to which a lot of them would be

served with some ad Network which would in turn lead them to some malicious website similarly a lot of their credential would have been Sni and put on dark we and out of these 280 million impacts 75 million impacted by just 32 and that speaks to the volume of it so Chrome Store as well as at store they have a review process but at the end of the day there will be some Roof System which attackers can exploit and it takes a while for all of these extension to go down once the reporting happens but the fact of the matter is someone has to do the reporting if no one reports the extension will be there and it will keep

on sniffing the user credential as well as what the user is doing so before we take a look at how a malicious extension and what the damage they can cause we'll first understand the structure of extension and how they work uh so like jine was saying the before we like dig deeper into how extens are able to do all this nasty stuff we need to understand how an extension works and how a little bit of how browser deals with extensions okay so if you Google and like try to figure out like set up a basic extension this is the structure that you'll end up with has anyone here like worked on extensions or like maybe

created a sample extension at some point okay cool cool cool so an extension you have like mainly four parts first you have a manifest file it's like a Json file this is where you like give the full config of the extension this is where you put all the assets that's required by the extension and the permissions required by it and all those stuff like maybe the name of the extension the logo all the stuff goes into the Manifest file then we have the service worker this like basically it's like a a background script that runs which which the extension communicates back and forth with okay now the content script this is the script that is actually injected to a

web page let's say let's say grammarly for example so when you go to any page what grammarly does is you it'll give you like a small popup in all your input boxes right so how it does is it scans through all your uh input tags and it basically injects this and this is done through condent scripts Also let's take grammarly has an example again if you click on the top there's a Gramm icon when you click on it a popup pops right so that is done through the popup HTML and then certain cases some extensions have their own like pages per se which you can interact with so mostly what it's like the popup HTML okay now how are permissions like

managed in a Chrome extension so like I said earlier it's every permissions that required by the extension is put inside this manifest.json file so let's say if uh yeah I think it's easier to explain like this so this is an example but I'm not asking for any specific permission only other thing I'm seeing here is I have a Content script in my script.js file and it has and this content script would be in Ed in all the web pages that matches this particular wild card okay now this gets tricky here uh so let's say I'll take this example now what happens here is you have the cond content.js file but I'm saying let's run it everywhere like

graml is doing now you have basically given an extension access to all the websites that you visit okay and the thing is did not ask even ask for a permission I I haven't specified any permission in the uh manifest file anywhere and I have an example of like a full manifest file uh this is like the V3 which is being currently used there was a shift at one point from V2 to V3 the reason being the way the permissions were managed in V2 was a bit tricky then later we migrated to V3 so if you look at the way the permissions are manage you have on the top a permissions key in which you put what permissions the

extension has access to these kind of corresponds to certain Chrome apis basically the browser exposes some apis to the extension for example in this case the tags the tabs the bookmarks in certain cases even the cookie so if an extension has asked for a cookie permission the extension has access to all the cookies that you use okay okay this is a stats if you look at the third one in the stats you see the allore URLs so most extensions run have this have this permissions even though they might be run used only on certain websites the thing that happens is we end up giving them like too much permissions okay uh the second point I want to

convey is how browsers manage all the stuff okay browser is not running as one single process but it is kind of like multiple isolated process of it's so on so let's say uh so there are individual processes for the browser which is called the browser process this kind of handles all your network request the accesses to your file storage all the stuff and each of the tabs that you open right the view that is rendered that is governed by the render process so the render process and the browser the network and all this stuff are running two different isolated process and extensions also have like their own separate isolated world the reason we are doing it like this is

basically basically for two reasons one is from a security standpoint since they're isolated and they're like running in two different isolated world uh we have like limited interop interoperative with them so how they communicate is usually only through ipcs okay and one more extra thing is basically when you open like tab each Tab in a browser is its own different render process okay why this is done is because let's say one of your tabs just crashed your full render process should not crash so the each tab is a different render process now you might have a question what happens for an if frame like an if frame is like a different frame inside a tab so in this case also

each if frame itself is a different render process so in that case also it is isolated from the rest of the website okay now uh if you look at this uh the page script is where the actual JS of that website runs okay and the content script is the script that is injected by the extension that also kind of runs it runs in its own isolated world but both of them have direct access to the Dome so they can read the Dome and write directly to the Dome and how the extension communicates with the content script is via like message passing like simple IPC and another thing is the extension also has access to certain browser apis for example the

cookie apis uh the tabs API like I said earlier and a lot more uh this is something I said already mentioned already earlier but the thing is the content script along with the uh it injecting itself into the JS of the page it also has certain access to some very limited Chrome

apis okay now coming back to the last one the service worker so the service worker cannot directly inject anything onto the web page it does this through communication with the content script let's say uh you want to dynamically inject some text to the content like on a web page based on something you can get from an API so what we generally do is we make the API call on the service worker and send that as a message to the content script and the content script generally injects it into the web page okay now the thing about service worker is it has a like it has access to all the chrome chrome apis the like I said earlier all

the tabs uh the the bookmarks the cookie apis all this is directly accessible by the service worker based on the permissions yet the is asking for okay we'll move on to a small demo here uh the thing is this is one we'll show multiple demos today but this is kind of like the most interesting one the reason being this is the easiest to do and it kind of does this with like minimal permissions we're not asking we only need the permissions to run the content script we don't need much permissions to run this

so uh here we are visiting a simple Zoom page and you might have seen that the extension is currently turned off and this just looks like a normal Zoom page there's nothing going on just normal now we go back to our extension we turn it down and we come back to the zoom Peach you might notice that where is Once minor difference there's like a popup here okay and it completely looks normal to everyone now the problem is this popup is kind of injected by our extension and we have kind of highlighted it for you but if it does not highlight it it would look like completely normal now the user goes ahead he clicks

on update he's like oh maybe there's a zoom update I'll just update he just downloads the file and he just goes ahead and installs it oh now interesting part is even if you look at the URL it looks like completely noral right like okay zoom. us H nice and you just install

cool that is pretty easy to do now if you look at the URL also explain how we did I also explain how we did the URL part so there is something called blobs which is like a form of file we we can do this without any API calls in the background this download was completely done without any API calls in the background only thing we need to do we put the malicious code we package the malicious code along with the extension let's say we put it as Bas 64 and we create a blob out of it now there's something called a blob URL this is like a pointer to all the blobs that we create we create a blob URL then we

just trigger a download and all of this can be done on the content script now from outside let's say we have an ed solution something that looks at the download it feels like the download is actually triggered by the website and not by the extension nobody knows that the extension was even involved because the extension is actually working in the context of the page

okay Bally a identifier that is added anytime you download a file on Windows in this case the mark of the web will be of zoom. us so if you go back here the mark of the web will tell blob https Zoom so there is no way for a EDR solution to figure out that oh this was a external file download that is happening and that's the power of extension that as long as you're in the browser you can control everything that the external process might be seeing you can just fabricate some of this information to make sure that you are persistent enough in the system now moving on to the next demo uh we've been

talking about permissions quite a lot right now what exactly are permission so with permissions basically think of it as like you're giving permission to someone to access your browser history and that someone is the extension so with extension we can Define let's say history permission which gives the whole browser history similarly there's a permission called cookies which can allow an extension to read all of the cookies anyone has used a extension called edit this cookie anyone okay yeah so it's one of the popular extension even I myself use it to just get the cookie value and that uses a permission called cookies similarly we have a lot of other extension which help you send HTTP requests right there from the

browser extension and those extension would be requiring like access to declarative net request or web request in order to make that so this is a very simple demonstration of how extension with permission can read some of the information so here uh in this case the extension has permission to bookmarks history as well as download and as you can see this can be a very privacy evading extension because this in a way tells what you are doing and based on this information now there could be targeted attacks on you and now if you go ahead Click on each of them we'll just see information about the bookmarks history as well as downloads and trust me on this the

browser history can reveal a lot of information and suddenly you might see you know some advertisement specific to what you looking for and that advertisement can uh lead you into into the hands of some nefarious actor now this was a very simple uh example of uh bookmark browser history and downloads next we'll take a look at browser cookies so once we enable the extension here we can notice we have list of all of the websites now if you click on the copy button what will happen is it will copy over all of the cookies of your website and then it can be set on another uh browser now what ends up happening is all of the major player Facebook

Microsoft Google they have a check on the sessions so anytime you are using the same cookie from different location or from a different browser they'll be able to flag it that again it is a session hijacking that is happening but there's a window in which attack can still happen it's not immediate so what we have noticed is up to 4 hours the session cookie might not trigger any alert and and this is because again these companies also have to make sure that you might be on a different uh Network you might be on a VPN or you might have transition over your device or you know exported it onto a different device so considering this there's a big

window which can be leverage by the attackers if they have access to the cookies so next is very very interesting one uh and in this case we do not require any permissions so like Elin mentioned if we have a permission which says all URL content script can run on individual pages so what we are doing here is imagine you are on a zoom call now we can exfiltrate all of the session uh related information such as again your audio clip your video clip uh and exfiltrate it out so that's exactly what we are going to do so we have a browser extension and here we can notice the permissions tab has nothing in it but

now the moment we go to meetgoogle.com we create a new meeting again this is sh our principal security researcher and what we are doing is we are opening a new tab so if you notice on the left we have meetgoogle.com and on the right we have Chrome extension web page now without any impact on this site we are able to exfiltrate the stream and this we are doing right now on the extension but this can be done on remote server and without anyone knowing we can simply go ahead sniff out your audio as well as video stream so imagine that now you're on a zoom call and apparently you're talking to your boss or some sensitive

uh conversation all of those can be leaked out very easily with the extension and what we have noticed in the whole Enterprise security space is that a lot of companies restrict installation of extension but a lot of them do not and especially since the AI boom a lot of employees are now trying to advance or enhance their product ity with you know extension that can help them and these AI related extension are malicious extension in nature so we'll come to a case study if time permits in some time now this was one uh this is another interesting one where we go ahead hijack an account now stealing the credential stealing the cookies is I'd say still uh

can still lead to some alerts happening on the server site because let's say someone steals the credential people can figure out oh the location is different the device is different if someone seals the cookie the same thing happens the location or the device is different but what if I told you with a browser extension we have a way that we don't have to take a look at all of this information but we can simply add ourself to the platform because we are running as a browser extension any request that we make from the browser goes on behalf of the user so this is one such example right now we have a user logged on to github.com

and we can notice we have uh PS demo is the user and we have couple of or like one repository here and there is no one in the repository as a contributor now what we can do is the moment we enable the extension we'll enable the extension and now if you go back to the same repository as you can notice something happened in the meantime and a lot of times user wouldn't notice this because it's happening in fraction of second if you go back to the Repository and now suddenly you'll see that a collaborator has been added so this is basically you know the extension forging request on behalf of the user and the website such as GitHub

Facebook no one at this point in time can detect that it was a extension not the user so all of those action will go completely unnoticed and this way anyone can remain silently within the organization now imagine that if a attacker adds themsel to a GitHub organization of an Enterprise all of the source code everything is with them and one of the big attack we saw recently was uh on GitHub what attackers did was they tagged the developers and then a notification from GitHub was sent to those developers the developers went back to the link and there was apparently a fishing link which gave the attackers access to the Token of the user so it was a oo based attack now the

moment the developer authorized that application that application had access of the developers GitHub account which in turn gave them access to the Enterprise repository the attacker then deleted all of those repositories and then asked for answer now imagine how easy it is to do with such an extension now coming to the last demo and this is a very interesting one so as a browser extension we can figure out what all extensions are present on the device so what we do here is uh we have one password extension installed and currently our extension is not enabled we go to HubSpot and if you take a look at the login page we'll see that there's a one

password icon here so uh another extension can pick up all of this information it can figure out that oh some other extension has injected some script similarly a lot of times extensions expose some of their public assets by public asset uh here could be the image that is used by one password to show the icon on top so all of this an extension can hit and figure out that there is a presence of one password so once we know that there is presence of one password what we can do is our malicious extension a second we'll sign out in this case and next we'll enable our extension and now our extension understands that there is presence of

one password so what it will do is it removes the or official one password link or the icon and puts a malicious one the moment you click on it now it takes you to the malicious extensions page where we have replicated what exactly one password is doing the login page everything is same and most of the time users wouldn't even take a look at the URL to figure out you know this is not one password but again it's the manous extension that is there so from a user's perspective and to be honest it's very difficult to uh remember the extension ID so they wouldn't recall that you know this is not the one password extension ID this is a third

party extension I had installed and based on it they'll end up entering their credentials here and now the compromise will happen so here we enter the secret key as well as password now effectively your one password account got stolen so now we know that if your password manager gets stolen then it's the keys to the kingdom right and lot of times now we are storing the tofa onto application such as on password especially the Enterprise ones so complete hack of organization can happen with this way and this is what we call a shape shifter extension it can figure out what all extensions are installed it can figure out what is the most valuable or the

most critical extension to an organization and shape or like shift its shape into that and effectively steal all information now similarly we had one more uh this is a case study which uh which is around chat GPT for Google extension so there's an extension called chat gbt for Google uh an official one so what attackers did was they created a same one with the same name uh but the extension itself was different so here we can notice again it has over 1 million users it has over 7,000 users and now they're leveraging the whole sponsored ad Network so what you can do is you can pay Google to have your extension have your website come up on top and all of

those will appear under like sponsored section and to be honest I never trust them I'll just scroll down and actually visit the website so what attacker did was all they went ahead paid Google to have their link come up on top and the user search for you know how to enhance their productivity and this is one of the first result they'll get so they ended up downloading the malicious extension and what happened was this is an open source extension on the right they took the same code base and they introduced some small thing here so now what happens is again it was a sponsored ad based attack so you install the extension the moment the extension get

installed there was a block of code that used to run which was this one so uh as you can notice we have browser. runtime. oninstall ADD listener so again extension is based on event based hook so anytime something happens we can hook into the event and uh trigger ourself so it gets triggered during the installation and what it does at this point in time if you notice on this line so it it says browser and then we have cookies value set in GN so browser. cookies. getet all so it retrieves all of the cookies that are present on the browser and then it figures out whether it was a Facebook which would be in the

next slide yeah so here it figures out that whether the credential or the cookies are of Facebook and then it simply goes ahead uh and uh creates an encrypted a yes string and that string is then exfiltrated out into a HTTP call so this way anytime an extension gets installed it is effectively reading all of your cookies it's figuring out what are the ones corresponding to Facebook it picks those encrypts those and makes a simple API call so with very small modification and as you can notice this is a very small block of code they took the original extension inserted this and now hosted it now 7,000 users were impacted or even more could have been

impacted Ed and all of them their Facebook account was being used and sadly these accounts were compromised and they were used to promote you know terrorism with you know Isis banners and whatnot and this is just to just an example of what happens with malicious extension we have actually seen a lot of data leaks dump on dark web which can only be possible if you have malicious extension other ways you know a malware can be running which is logging all of the key strokes but again to have that level of accurate information let's say username password what is let's say a key phrase the security question all of those is only possible with malicious extension now

the question arises how can we defend against browser extension so as a consumer as well as as a employee or you know someone who is managing the security of the organization we need to go ahead review the extension really well Chrome Store reviews are not sufficient because again they are meant for high they are meant for deliverability and scalability so in the review process there might be some holes which there are uh and again as a admin as a security team as a consumer we should definitely ourselves do sufficient amount of review so our recommendation is take a look at whether the extension is in the featured list uh whether it has over like 10 million

users whether it is hosted or served by a popular company and in case if you want to dig a bit deep we have couple of static analysis is Tool uh so CRX cavor was a really good one uh similarly we have EXT analysis which will provide you static analysis results at this point in time there is no Dynamic analysis framework and that is something squarex has worked on and we'll open source it soon uh in case if you want to do a bit of dynamic analysis you can start Chrome with a special flag which is enable extension activity logging which will provide you detailed insights into what are the API calls and extension is making again it's

a lot of information and that's where Square access uh solution will help in narrowing down on the nature of the those API calls uh and at the last uh if you want to be a lot more cautious you can build out a extension yourself and with the management permission you can go ahead disable other extension so you can have a small extension running and give it to your colleagues or spread it within the company which goes ahead disables the extension if it doesn't match appropriate number number of checks and always analyze the resources the extension is accessing all URL is dangerous it's very very dangerous similarly uh analyze the permission set as well and be very aggressive in terms

of you know the uh behavior of the extension so if it is hosted or if it is you know created by a developer and it is not backed by a company you have to be cautious because there's a risk that the extension at some point in time will get purchased and in the future version of malware is going to run on the browser and effectively steal all the information there is any any questions

yeah with with no permissions but I was able to read the uh the Google meeting uh I wonder what and and hacker can make out of this like Can it can they exfiltrate the meeting or what can they do with the the stream they captured thanks so yes they can excelerate so in the demonstration we were showing just a window but what can happen is since a Content strip is running on the web page and we haven't asked for any permission the service worker will still function it is that it's not going ahead and you know reading the uh information directly it is communicating back and forth from the content script so that stream can be

then sent to the service worker which in turn can make a fetch call and that way again it can keep on sending the live call information uh as well as the audio stream that is currently there so it can effectively siphon off all the conversation that you're H having at this point in time and the same applies to you know credential stealing so the content script will pick up the credentials send it to the service worker and now the service worker will make a external API call to exfiltrate that that information out any any other questions those um static analysis tools that you mentioned uh how effective are they at detecting some of these attacks

that uh you demo uh that's a very good question unfortunately there won't be much of help in this case because the attacks we are doing are very dynamic in nature and with just by figuring out the permissions that are required it won't won't help that much and that's where the that's where we went ahead we did couple of talks around Dynamic analysis of browser extension the tool is not yet open source but we'll open source it soon so that again we can detect such sort of attacks from

happening there's one more

question yeah great uh great presentation quick question around uh malicious extensions how quick is Google Microsoft you know those stores uh quick at removing them and do you guys report that to those stores we do uh and it takes them a bit of time so what we have seen in best case is like close to 6 hours once we submit the report then they'll go ahead review it uh and it a lot of it depends on the activity they are seeing on Chrome Store so what we do is our team will immediately go ahead keep on spamming that malware or like don't install so that at least the users of the extensions are aware and that's

the best way to you know uh in a way prompt Google that a lot of people are reporting that something is wrong and you have to act fast so otherwise the Chrome review process itself can take up to like 6 to 24 hours if even if it is like a P1 uh issue uh thanks for the talk so with uh the extensions have you you test it if there's any difference on other browsers like Firefox uh so Firefox does not have some of the capability similarly Safari has some does not have some of the capability so for example let's say for file downloads those apis might be a bit restrictive but the attacks that we

demonstrated today with the content stript all of those are still applicable on all of the browsers so content script the logic and everything exists and it's pretty similar across all major browsers uh just one of other questions with the extension so uh is that if they want to update the permissions does the user always get notified or can they update it like if they sell the extension so when it comes to permission there are two set of permission one is optional permission uh one is your regular permission so the moment you go ahead and ask for a regular permission let's say uh at one point in time uh there was no additional permission but in the

future version a new permission was introduced at that point in time the extension will automatically get disabled on the user's browser and then they manually have to enable it because again during the upgrade a new permission was introduced but now what attackers would do is they'll ask for optional permission so with optional permission the extension does not get disabled and let's say when the user is doing something at one point in time the user will be prompted oh this extension is requesting for optional permission do you want to allow it now a lot of times people don't uh you know aggressively check on what's the permission that is being asked they'll simply click on it

and suddenly you see the extension uh is running with higher privileges so these are like multiple ways with which the permission uh requirement can be fulfilled with the upgrade

uh that's a very good question so to be honest all of them are at risk in the same way so if you want to transition back to Internet Explorer that might be a good idea but but apart from that again all of the extensions are at similar risk and uh innovates pros and cons right so it adds quite a lot of value such as grammar leave POS it makes it super easy uh but again where there's Pro there will always be some negatives and this is something I hope the industry is able to uh accommodate very soon so to help this out we have squarex which is a bdr browser detection and response solution and we are doing

exactly this that by remaining on the browser we can figure out what's going wrong and prom the user prom the employer the organization about the risks that are there and in a way to try the control or the damage that an attacker can do okay uh thank you so much everyone I hope everyone