New issue
Advanced search Search tips

Issue 675275 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Dec 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: A local unprivileged third party application on a host machine can stealthily steal all user passwords and other sensitive data by installing a co-operative or a vulnerable chrome extension.

Reported by abhinav....@gmail.com, Dec 16 2016 
VULNERABILITY DETAILS
Chrome extensions generally offer weak permissions that can be generously exploited by a malicious third party. This
disclosure aims to highlight a particular vulnerability prevalent in chrome extensions that can be exploited through a
vulnerable third party application or a malware installed on a user device. For exemplary purposes, I take macOS and
describe sequence of events that can lead to complete compromise of user passwords.
1. User downloads a vulnerable app from a trusted source such as Apple AppStore or through an untrusted
source from a developer’s website.
2. The app installs a vulnerable/malicious chrome extension by writing a file at the following user-writable
location:
~/Library/Application\ Support/Google/Chrome/External\ Extension/<id-of-extension>.json
By design, writing a file with the following contents: prompts Chrome to install the extension on next startup.
{ "external_update_url": "https://clients2.google.com/service/update2/crx" }
 3. A third party unprivileged app exploits this design and installs a vulnerable or a purposely built malicious
 chrome extension.
 4. The extension’s icons do not have integrity protection and can be changed by any unprivileged local app.
In this attack, the app replaces the icon with a transparent icon. This allows an extension to fool the user
completely by providing no visible cues to the user that there is any significant change in the browser.
 5. At a later time, the user launches the browser and the extension is automatically loaded, allowing it steal all
 user data Including passwords that user subsequently types in, and previously loaded persistent cookies.
The extension may then communicate this data to an external entity by utilizing network resources or even
native messaging.

VERSION
Chrome Version: 55.0.2883.95 (64-bit)
Operating System: MacOS Sierra 10.12.1

REPRODUCTION CASE
Attached video demonstration and vulnerability disclosure document

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]
ChromeExtensionVulnerability..pdf
58.6 KB Download

Comment 1 by abhinav....@gmail.com, Dec 16 2016 

Please use this video link: https://tools.zscaler.com/upload/f.php?h=3fRPo71D

Comment 2 by elawrence@chromium.org, Dec 19 2016

Components: Platform>Extensions
Background:
https://developer.chrome.com/extensions/external_extensions
https://www.chromium.org/developers/extensions-deployment-faq

In this report, "Unprivileged" is a misnomer, when what is described is a application running arbitrary native code.

https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model- 

provides some context on why attacks that require compromise of the PC are outside of Chrome's threat model.

Comment 3 by mbarbe...@chromium.org, Dec 19 2016

Labels: -Restrict-View-SecurityTeam allpublic
Status: WontFix (was: Unconfirmed)
Marking as WontFix for the reasons mentioned in c#2.

Sign in to add a comment