Disabling Chrome Extensions

Wednesday, August 5, 2015 @ 07:08 AM gHale

Chrome fixed a problem with its browser that could allow an attacker to disable extensions without any user interaction, a researcher said.

The issue could pose a problem because some extensions give a boost to the browser’s security, said Mathias Karlsson, a web security researcher at Detectify Labs, who used the case of the HTTPS Everywhere extension in his proof of concept.

Row Hammer Exploitable via JavaScript
Security Appliance Holes Fixed
Red Hat Patches Vulnerabilities
Mobile IE Zero Days

The attack uses the Chrome extension URI, a special URL scheme employed by the Chrome browser that looks like: chrome-extension://gcbommkclmclpchllfjekcdonpmejbdp/

Accessing this URL corrupts the (HTTPS Everywhere) extension, shutting it down.

Because of this, the Chrome team made it impossible for the browser to even load this URI scheme inside a link, image, or any other page element.

This move has prevented attackers from using this method for tricking users into disabling their (security) extensions, unaware of what they were really doing.

Karlsson, though, found a way around this safeguard by using the “ping” attribute inside a regular link. The code looks like this: [CODE][/CODE]

Adding this to your links will automatically disable the extension with the “gcbommkclmclpchllfjekcdonpmejbdp” ID when the user clicks that link. Of course, you can use any IDs you’d like in order to disable the extensions you want.

Karlsson also triggered user clicks automatically using JavaScript, which ends up executed on page load.

This means that an attacker can disable a list of Google Chrome security extensions when users access their site, allowing them to carry on their attacks unhindered, without the user being aware, or having to do anything.

Chrome officials are aware of the issue and they fixed it in their most recent Beta release.

Click here to see Karlsson’s proof of concept.