New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 662577 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Nov 2016
Cc:
ericdingle@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug-Security



Sign in to add a comment

Security: a malicious chrome extension can use user's credentials to create accounts without his knowledge/approval

Reported by i...@perimeterx.com, Nov 4 2016 
We have seen several malicious extensions in the past on the chrome webstore, that downloaded a payload from their control, and ran a javascript code to use Google or Facebook login to create new accounts on applications supporting these logins (like dropbox) once the user is logged in.
This is done in the background, without the user getting any notification and without the user actually approving anything. the extension will click the required "approval" buttons in the background, or will use direct XHR/POST requests.

I've uploaded 2 chrome extensions to demo this (fb-sso and google-sso) and kept them private, for obvious reasons.
FB: https://chrome.google.com/webstore/detail/cioakopdgeahcdgfefoankopifekagfi/
Google: https://chrome.google.com/webstore/detail/ccieajhmbpkpdildnhgdghlnnkobhbdn/
I'm also attaching the zip files. 
the zip files also include a Readme.md instructions and a sample web page testing the application login.

I reported this also on another channel as a potential Google login risk, and reported to FB as a potential vulnerability in their login service.
google_sso.zip
71.9 KB Download
fb_sso.zip
74.2 KB Download

Comment 1 by nparker@chromium.org, Nov 4 2016

Cc: ericdingle@chromium.org
Components: Platform>Extensions
Labels: Pri-3
Status: WontFix (was: Unconfirmed)
Thanks for the report. If you find malicious extensions in the Chrome Webstore, please do report them via https://safebrowsing.google.com/safebrowsing/report_badware/?hl=en

In general all the functionality you describe is functionally allowed in an extension, though it may be against the Chrome Webstore policy and should be removed from there.

Comment 2 by i...@perimeterx.com, Nov 5 2016 

Thanks for your prompt response.
I plan to present in a conference this week (Thursday) this potential risk to raise awareness for application/sites developers using 3rd party login services, and for users using chrome extensions.
As you do not see it as a Chrome vulnerability, I assume you have no objection in me reporting it, and raising security awareness.
Project Member

Comment 3 by sheriffbot@chromium.org, Feb 11 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment