Security researchers from Germany’s CISPA Helmholtz Center for Information Security have developed software to help identify Chrome extensions that are vulnerable to exploitation by malicious webpages and other extensions.
Back in 2018, Google announced plans to redesign its browser extension platform to make it more secure. Under its old platform rules, known as Manifest v2, Chrome extensions had broad powers that could easily be misused.
And many miscreants have abused those powers. In February 2020, for example, Google removed more than 500 malicious extensions. That was a month after Google closed its Chrome Web Store to new extensions to fight payment fraud. There were more removals in April and May 2020, this time related to extensions designed to steal crypto-wallet credentials. There were other such incidents in June and December 2020. And this sort of thing has been going on for years.
Alongside its efforts to cleanse the Chrome Web Store, for the past three years Google has been developing Manifest v3, a revised set of extension APIs that offer more limited capabilities, to the detriment of content blocking and privacy tools but with less dangerous security and privacy pitfalls.
Google began accepting Manifest v3 extensions for review in January, 2021. Nonetheless, its more modern extensions are not vulnerability-free and the older Manifest v2 extensions still circulate.
CISPA Helmholtz boffins Aurore Fass, Dolière Francis Somé, Michael Backes, and Ben Stock took it upon themselves to develop a tool called DoubleX to help deal with the situation.
They describe their efforts in a paper [PDF] titled, “DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale,” which is featured in the Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, a virtual event held scheduled for next week in South Korea.
Malicious extensions, they say, represent only a fraction of the extensions that present security and privacy concerns.
Benign extensions, meanwhile, may contain insecure code that can be exploited by other extensions installed by the user, or by malicious webpages visited by the user, to run malicious scripts where they shouldn’t, exfiltrate data, trigger downloads, and more. It’s these harmless-but-exploitable extensions that DoubleX looks for.
DoubleX is an open source static analyzer that’s designed to flag vulnerable data flows. It’s not, in other words, just for finding malicious extensions; it looks for exploitable data paths, which may exist even in well-intentioned or otherwise benign add-ons.
How might these flaws be exploited? Well, the inclusion of an
eval function, the researchers explain, means an attacker could potentially take advantage of the vulnerable extension’s permissions. And an extension containing
When DoubleX was fed a large number of Chrome applications, it did indeed find some problems, though perhaps fewer than one might expect given the Chrome Web Store’s inglorious history.
“We analyzed 154,484 Chrome extensions, 278 of which we flagged as having externally controllable data flows or exfiltrating sensitive user information,” the paper says. “For those, we could verify that 89 per cent of the data flows can be influenced by an attacker, which highlights DoubleX precision.”
“In addition, we detected 184 extensions (with 209 vulnerabilities) that are exploitable under our threat model, leading to, e.g., arbitrary code execution in any website.”
These 184 extensions affect between 2.4 million and 2.9 million users, with 172 susceptible to a web attacker and 12 exploitable through another unprivileged extension.
From October 2020 through May 2021, the boffins say they dutifully disclosed their findings to developers, if they could find contact information, and to Google in other cases. As of July 2021, they claim, 45 of 48 vulnerable extensions reported were still in the Chrome Web Store.
“Of those, 13 have been updated since our disclosure, but only five have been fixed (300k+ users, 50k+ users, 3k+ users, 2k+ users, and 35 users),” the paper says.
The Register asked Google for comment but we’ve not heard back. ®