Researchers at network security vendor ICEBRG recently discovered four malicious extensions in the official Google Chrome Web Store with a combined user count of more than 500,000, and as with past incidents, the implications are serious for both consumers and enterprises.
ICEBRG notified Google and three of the extensions have since been removed from the Chrome Web Store. It was not immediately clear why the fourth one, Nyoogle, remains. Google did not respond to a request for comment Tuesday. The other three extensions are Stickies, Lite Bookmarks and Change HTTP Request Header.
“Coupling an extension marketplace style ‘easy install’ for users, limited understanding of the underlying risks, and few compensating controls leaves organizations vulnerable to a serious and easily overlooked attack vector,” ICEBRG researchers Justin Warner and Mario De Tore wrote in a blog post.
ICEBRG noticed a suspicious jump in outbound network traffic from a workstation at a customer site. Its investigation subsequently revealed the malicious extensions. Most likely, the extensions were used for click-fraud and search engine optimization manipulation, but nonetheless “provided a foothold that the threat actors could leverage to gain access to corporate networks and user information,” the researchers wrote.
They go on to provide a detailed technical description of their investigation and the methods used by the extensions to inject and execute malicious JavaScript code.
“By design, Chrome’s JavaScript engine evaluates (executes) JavaScript code contained within JSON. Due to security concerns, Chrome prevents the ability to retrieve JSON from an external source by extensions, which must explicitly request its use via the Content Security Policy (CSP). When an extension does enable the ‘unsafe-eval’ permission to perform such actions, it may retrieve and process JSON from an externally-controlled server. This creates a scenario in which the extension author could inject and execute arbitrary JavaScript code anytime the update server receives a request,” according to the researchers.
Along with Google, ICEBRG has notified the National Cyber Security Centre of The Netherlands (NCSC-NL), the United States Computer Emergency Readiness Team (US-CERT) and affected ICEBRG customers.
Chrome has about 60 percent of the overall browser market, making it a desirable target for criminal exploitation. In recent months, a series of malicious Chrome extensions have been discovered. One that surfaced in August was used by Brazilian criminals to commit banking fraud.
Another one, found in October, downloaded and installed a .cab file on victims’ computers, which captured all the information they entered on any website and sent it to a remote server.
Google has been coming up with more enterprise-friendly security features for managing extensions, the ICEBRG researchers note. For example, IT staffers have already been able to blacklist specific extensions, but more recently gained the ability to set policy-based bans.
Still, “without upstream review or control over this technique, malicious Chrome extensions will continue to pose a risk to enterprise networks,” ICEBRG said.
The irony is that Chrome has been viewed as one the more secure browsers on the market, said Ken Spinner, VP of worldwide field engineering at security vendor Varonis, which is focused on insider threats and cyberattacks. “Obviously, this should give people reason for concern,” Spinner said. “Everything should be under the scrutiny of your security people. People have to start thinking that if they’re not already, they will be exploited.”