Chrome Extensions Hit Users

Tuesday, January 16, 2018 @ 09:01 AM gHale


Over half a million users worldwide ended up infected by four Chrome extensions, researchers said.

The extensions were likely used to conduct click fraud and/or search engine optimization (SEO) manipulation, but they could have also been used by threat actors to gain access to corporate networks and user information, according to ICEBRG, a network security analytics company that offers a SaaS capability.

RELATED STORIES
Meltdown, Spectre Patches in Firefox Release
Chrome Release Offers Site Isolation
Anonymity Becomes Visible in Tor Browser
Firefox to Block Browser Fingerprinting

Researchers found the malicious extensions after finding an unusual spike in outbound traffic volume from a customer workstation to a European VPS provider, ICEBRG said in a post.

The HTTP traffic was associated with the domain ‘change-request[.]info’ and ended up generated from a Chrome extension named Change HTTP Request Header.

While the extension itself does not contain major malicious code, the researchers discovered two items of concern that could result in the injection and execution of arbitrary JavaScript code via the extension.

Chrome can execute JavaScript code contained within JSON but, due to security concerns, extensions aren’t allowed to retrieve JSON from an external source, but need to explicitly request its use via the Content Security Policy (CSP).

When the permission is enabled, however, the extension can retrieve and process JSON from an externally-controlled server, which allows extension authors to inject and execute arbitrary JavaScript code when the update server receives a request.

What ICEBRG researchers found was the Change HTTP Request Header extension could download obfuscated JSON files from ‘change-request[.]info’, via an ‘update_presets()’ function. The obfuscated code was observed checking for native Chrome debugging tools and halting the execution of the infected segment if such tools were detected.

After injection, the malicious JavaScript creates a WebSocket tunnel with ‘change-request[.]info’ and uses it to proxy browsing traffic via the victim’s browser.



Leave a Reply

You must be logged in to post a comment.