14 DAY TRIAL // Extensions with suspicious activity as well as downright malicious ones have been discovered in Google Chrome’s Web Store, posing risks such as code injection in web pages, browsing monitoring or information stealing.
Studying a number of 48,332 Chrome extensions using a specially designed tool called Hulk, security researchers discovered 130 of them to sport malicious activity and 4,172 behaving suspiciously; most of them were spotted in Chrome Web Store.
The authors of the paper presented their findings on Thursday, during the 23rd USENIX Security Symposium on San Diego, California.
Hulk helped them analyze the extensions and determine the nature of their activity. It leverages HoneyPages, web pages created to provide the necessary conditions for the extension to perform, and a fuzzer, for driving the execution of event handlers registered by the browser component, allowing researchers to conduct the experiment.
Suspicious behavior of the extensions included affiliate fraud, credential theft, ad injection or replacement, and social network abuse.
Among the results of the analysis, there were components that tampered with the security-related HTTP headers, which allowed JavaScript injection in web pages.
“In principle injection need not occur at all, since Chrome extensions can come packaged with all the code needed to operate. In total, we found more than 3,000 extensions that dynamically introduced remotely-retrieved code either through script injections r by evoking ‘eval’,” explains the paper.
One component was found to inject code in every page visited by the user; it had been added to 5.6 million browsers.
Others performed add manipulation through replacing original ads, inserting ads into pages, overlaying ads over content or changing affiliate IDs to direct the revenue to its owner. At the moment of detection, one of them had been downloaded 1.8 million times.
An example of an extension in Chrome Web Store that stole information was “Chrome Keylogger,” designed to capture details from the browser and send the data to a remote server.
Google has taken steps to mitigate the risk of malicious extensions in the Web Store by verifying each entry. Even so, some of them made it to the repository.
However, this type of component can reach users’ browser through other means, such as sideloading; this means that a third-party program can add it to Chrome.
This was possible until version 25 of Chrome, when Google restricted this type of distribution without user consent.
The company imposed more limitations to maintain the safety of their customers, and at the moment no extension outside Chrome Web Store survives a browser restart. Users can add them in developer mode, but this has to be done each time Chrome starts.