A Chrome extension that intercepts all form submissions on all websites
blog.asdfx.usI changed the Chromium browser (as a masters project) to intercept suspicious extension actions like inserting elements etc and to alert users of what the extension is attempting to do. Using this proof-of-concept browser would have helped you debug your ad injection problem!
https://cypher.codes/writing/intercepting-suspicious-chrome-...
- Note: my project specifically tries to protect users from Facebook hijacking and ad injection attacks - the two most common attacks on the CWS!
Thanks for this! (Also, you have the coolest last name)
Related story...
I once worked on a price comparison plugin and Firefox is very strict about what your plugins are allowed to do. They review each one and have some strict rules: like you can't load and execute Javascript from the web.
Most of our competitors just sent every URL you visited to their server. We wanted to be better than that since that is an obvious privacy issue.
So we made all our plugins (IE, FF, Chrome) download a whitelist (regex array) of shopping domains our search engine supported and it would only make API calls to our server if it matched that list AND you were on a product page.
Had the added benefit of reducing our server load too.
The server still gets a list of every page you visit on eCommerce sites but better than on all sites.
Which extensions send every URL you visit to remote servers?
Too many
Examples?
Not sure what the fuss is here, the permission is literally called "Read and change all your data on the websites that you visit". It should be obvious what it can do.
Seems like there should be some additional protection in the extensions API, if there is not already. "Read and change all your data on the websites that you visit" vs. "And send it somewhere over the web" are two separate layers of permission.
Footnote: I can't visit the page. Blocked by corporate.
Since extensions can inject arbitrary js, there isn't really a way to be that granular.
You could, for example, exfiltrate data by injecting an image tag with some extra url parameters on the url. Doesn't have to be xhr or websockets.
I don't see why that couldn't be sandboxed.
"Send and receive data from anywhere on the internet"
Image doesn't load if you don't accept. Same goes for any tag or function that accesses external URI's.
Perhaps. I don't know browser internals well enough to know if they could backtrack all the various possible indirections. Hijacking already existing code, like Google analytics code on the page, for example (change the ga id).
If the extension has permission to manipulate webpages, then the extension could inject code (or an image element, etc) into any open webpage to make the webpage do the request for it.
That wouldn't affect it any differently than non-injected code. No external URI loading would occur from code sourced from an extension.
What happens if an extension injects a script tag into the page with code to wait a second and then add an image element into the page? The code would be running outside of the extension's isolated world as normal code within the page. (There's many ways like this to trigger code to be evaled through the DOM API, and a lot of extensions depend on the ability to do this so they can interact with the page's javascript values.) The system could be made to remember that code spawned from an element inserted by the extension is still associated with the extension and its permissions, but then there's a lot of possible interactions that can get hairy from there.
If we assume that any code parsed from eval (and equivalent functions) inherits the association of the code eval was called from, then if the webpage defines a function like this:
Then the extension can inject a script tag that calls runAfterOneSecond but passes it a string (which setTimeout evals internally) that contains code to inject an image. If that eval'd code is supposed to retain the association with the extension, then that would have to be tracked through the string. Do all strings now require an association field? What if the page code creates a new string based on that string? Does that new string get the association too? What if two strings associated with different extensions are combined? Do the associations get combined so that any code created from the string (or created from anything created from that string transitively) has the union of all of their security limitations?function runAfterOneSecond(fn) { setTimeout(fn, 1000); }If instead of tracking the associations of values, you tracked whether the extension was on the call stack at the time of code being parsed, then you're out of luck there too. Imagine a page with the code `eval(getCode())`: if the extension overrode the getCode() function, then it could get the page to eval whatever it wanted. Certain popular web frameworks often eval code from the DOM (think inline templates), so it would be easy to write a more generic attack to have the extension stick some code into the DOM formatted in the specific way that the web framework recognizes so that it will eval and run it later.
And even if you did manage to successfully restrict extensions from network requests, you'd end up with an extension that can't ever add elements to the page or manipulate elements that reference any external content. You couldn't make an extension for previewing an image on link hover. You could only add a button with an icon on it if that icon was an inline data uri. You probably couldn't reuse classnames from the page's css that referenced a remote background image or font. I would expect that nearly all page-interacting extensions would request the network permission just so they could get anything done. Chrome probably wouldn't spell out that permission in the permissions dialog (instead grouping it into the "Extension can read and change your data on all sites you visit" line) because of how common it was. ... And then they probably wouldn't go through the huge amount of effort and redesigns to support that permission in the first place.
I don't know enough about the chromium security model to validate your assumptions. I'm speaking more as an API, this is what it should do.
Presumably the implementation would have a mechanism for tracking injected code and treating modified code as suspect.
it's more the automatic silent updating that's the problem
people sell their high value extensions, then the new owners load them full of malware
chrome doesn't let you turn the updating off... I have previously resorted to removing update URL from the extension manifest manually...
Yes, this is the major issue. Authors also can sell their extension, then re-publish their own non-malwared version as an alternative, then just keep doing it over and over again.
I wrote some scripts to provide version pinning (just automates the manual editing of the manifests) but then you have to consider critical vulnerabilities in things like the LastPass extension where you absolutely want updates ASAP. So then you either have to have a curated extension list or maybe just separate extensions into "trusted" ie provided by reputable businesses as part of their product (lastpass, okta, etc) and "un-trusted." Even then, if the malware isn't in your face, you have no idea if the pinned version of your un-trusted extensions is actually non-malicious without auditing the code.
the fuss isn't so much that the permission is labeled wrong. its that the permission exists and theres no middle ground. I was trying to install an extension for pinboard a few weeks ago and it asked for the same thing. so of course i didn't install it. but its pretty lame you can't limit the scope.
My point exactly. Who would have thought that giving an extension permission to read and change all your data on website you visit would give the extension power to read and change all your data on website you visit.
most people who understand sandboxing would sooner assume that its bad copy text rather than believe google would allow literally anything anywhere.
Extensions (with permission to a domain) can inject elements and javascript into webpages, and javascript running in a page can use the DOM APIs (the same APIs that a webpage's own code uses) to see what's on the page, including form content.
Chrome extension sandboxing is mostly about controlling what webpages an extension can manipulate, not so much about how it can manipulate it. It's not obvious that there is a better sandboxing solution for the general case. (There are possibilities for specific uses though: Safari has APIs for extensions to use set up regexes to block images/ads without needing permission to run arbitrary code on sites.)
i can't speak for everyone, but if i could get a permission that was bookmarks/url only i would be pretty happy.
There's bookmarks and history permissions available: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/ma...
Read is not the same as send to external server. this is a big deal. it makes phishing incredibly easy and impossible to detect.
The ability of extensions to log form data to external servers allows for massive potential abuse. Not sure why Google would allow it. I imagine millions of logins have been stolen this way.
Most extensions of any usefulness require these 2 permissions. How else would something like adblocking or a login manager work?
An adblocker is a good counter-example: it could work with an API that tracked the page changes and stopped e.g. JS or images inserted by the extension from loading. Even when editing the DOM, it has no need to load anything externally. Sounds possible, but I'm not sure how big the overhead of extending the DOM like that would be.
You probably could still create interactions with on-site JS that leak data sometimes, so it wouldn't be perfect, but that's page-specific and a lot more work.
That would break a sizable amount of the web, eg, Youtube embeds.
How would an optional feature, for extensions only break the web? I'm not talking about changing the security policies in general.
I only heard about this a few week ago and I thought I was up-do-date on internet security. It may be obvious to others, I had no idea an extnetion could do this. This means it can steal you login like phishing but without a spoof URL. I now disable all extensions when logging into important websites
Another thing you could do is use incognito mode, which disables extensions by default.
http://www.tomsguide.com/faq/id-2384484/enable-disable-chrom...
the problem with incognito is that it does not always clear the cookies when you close it
Did you report the malicious extension? Its still available from the Chrome store.
This is not new. In fact, I'd estimate 20% of all popular plugins know all the websites you're visited, Google searches you're doing, etc: https://www.howtogeek.com/180175/warning-your-browser-extens...
It's how SimilarWeb and other clickstream companies get their data. They claim it's harmless, but they have the ability to know everything you've inputted, and all the secure URL's you've visited (aka that intranet page with all your company salaries or passwords that you think nobody on the web knows about)
"Chrome Extensions - AKA Total Absence of Privacy" Detectify's blog post about the subject, mentions Similar web as well.
https://labs.detectify.com/2015/11/19/chrome-extensions-aka-...
So malware. You wrote some malware.
I think you mean development tool.
Great demonstration. You could probably just as easily listen for blur on form fields and be even more dangerous.
I never install browser extensions because it is difficult to check what they are doing and many of them require access to all sites. Users should check who wrote the extension and whether they trust the author.
That's why I login into my bank or other important accounts in incongnito mode, where, I make sure extensions stay disabled.
Does not work for blockchain.info but does for reddit, hackernews, and facebook