Browser extensions can let you easily make notes, entertain you with a game, or take an annotated screenshot of the website you're visiting. They can also XSS any website you're visiting, harvest your browsing history, replace your cookies, silently change your proxy or execute code on your machine. Even benign, legitimate extesions can do this, just because they were poorly coded. These flaws are fairly common, and the attacks are easy. In this talk meterpreter sessions will be opened, Google will be XSSed, all your mailbox will belong to us and your PGP private keys will be extracted. But as constructing attack payloads is so boring, we'll present tools that help you find vulnerable extensions, confirm the vulnerabilities and exploit them. After the talk you'll be set to go to either attack Chrome extensions or code them properly as multiple code examples will be given.
The presentation will consist of technical overview of Google Chrome extensions architecture, its built-in security mechanisms, inluding Content Security Policy. Focus will be given into bypassing the protections by leveraging poor extension coding, UI redressing attacks or side-channel attacks. Several flaws in popular Chrome extensions will be demonstrated, with varying consequences from universal XSS flaw to Remote Code Execution on clients machine.
Having analyzed top 10 000 most popular extensions from Chrome Web Store, we will describe several identified vulnerability classes including, but not limited to:
* XSS in content scripts * XSS in view pages * Direct URL access * UI interface spoofing * DOM content extraction * NPAPI binary vulnerabilities
These vulnerabilities will be demonstrated on real-world examples from vulnerable code snippets to complete exploits for them. The usual attack scenario will be attacking an extension via malicious web page that abuses extension mechanisms to inject code or extract information.
Currently Google phases out extensions with manifest v1, while slowly forcing developers to create extensions with manifest v2. However, security mechanisms introduced in v2 manifests, including obligatory Content Security Policy, still leave many possibilities for a successful exploitation. During the talk special focus will we given into exploiting v2 extensions and exploring the contraints of their new security model in attack scenarios.