What Is Pwning Through Chrome Extension Hacks?
Pwning, in hacker jargon, refers to compromising or controlling another’s website, computer, application or gateway device. Some security researchers even award Pwnie Awards for cracking.
Although Google claims that its browser, Chrome, is the safest web browser on the market, one can never be too careful in matters concerning security.
There are indeed several Chrome extensions with which you could lock down Chrome and make it extremely secure.
However, other extensions of Chrome are not so secure, and can be used by attackers to compromise the Chrome browser.
For example, the ScratchPad Extension allows users to take notes and auto-syncs the note files with Google Docs in the ScratchPad folder.
One of the features of this extension allows users to share ScratchPad folders without the need for any permission from the original user.
How Can Attackers Use Vulnerable Chrome Extensions?
A malicious code hidden in one of the notes saved on the ScratchPad folder, when accessed by the victim can compromise his browser.
Once the note is opened, the code proceeds to steal all contacts saved in the victim’s Gmail account, since he was already logged into it. Although Google has now patched this specific vulnerability, there are several other extensions with similar or worse vulnerabilities.
With increased use of mobile devices, attacks on applications are rising. Many powerful chrome extensions are meant for the user to access cloud services through Chrome, and this is becoming the main target for attackers.
Most mobile apps require user permission for accessing the various features and capabilities. Extensions for the Chrome OS also require permissions to access features and capabilities, but the difference is, permissions are set and defined by the developer of the extension.
With independent software developers writing the Chrome OS extensions, the security mindset of the developers becomes more important to define the vulnerability/security of the software.
What Happens During An Attack On A Vulnerable Chrome OS Extension?
With increased focus on cloud-based applications and storage, malware is not downloadable from the cloud to the user’s machine. The usual suspects are weeded out by the Chrome OS and users remain protected.
Therefore, instead of targeting the data on the user’s hard disk, the attacker targets the applications that send and receive data between the cloud service and the Chrome browser.
Attackers target common web vulnerabilities that can compromise higher privileged applications. They use Cross Site Request Forgery and Cross Site Scripting vulnerabilities, which are the most common in such extensions.
As independent developers write most extensions, writing bad code is common, and the developer may provide the extension with more permissions than is necessary
Once exploited, the attacker can:
- Monitor all the open tabs on the victim’s browser
- Extract HTML Code from the web pages
- Read/Write cookies stored in the browser
- Access the local hard disk of the victim
- Manipulate the history of the victim’s browser
- Take screenshots of the tabs on the browser
- Inject keyloggers/ BeEF hooks for causing further damage
How Can Pwning Through Chrome Extension Hacks Be Prevented?
Awareness of which extensions provide greater security to Chrome affords the best protection from these attacks. Some of these extensions enhance the inherent security of the Chrome browser. External vigilance and continuous monitoring for malware, Trojans, and virus is essential.
Some of the more secure extensions that help prevent attacks are:
- BugMeNot Lite
- Secure Profile
- Credit Card Nanny
- KB SSL Enforcer
- View Thru
- Click & Clean
- Web of Trust