The Web Is Dangerous: Phishing and Browser Extensions

Using the web is inherently dangerous. Browsers gladly accept and run code that serves some unknown and different purpose for each webpage. Webpages often have vulnerabilities, allowing hackers to run code that may allow them to steal your data. Your computer will (probably) not explode while using the web but untrusted code may have ulterior motives. There are a number of dangers but I will be writing about two of them.

Browser Extensions

The web works by loading scripts on most pages that serve a purpose and (supposedly) make a user's browsing experience better. I hold the belief that usage of these scripts should be limited, and webpages should live a balanced lifestyle, following the The Web Pyramid.

Browser extensions are collections of scripts that are run in a privileged space by your browser. They might be huge collections of scripts that provide a complicated service but they can also be small scripts that replace words in a funny way. There are two things web citizens should be wary of when they choose to install another browser extension.

The model that browser extensions are loaded in can be extremely wasteful and are a huge cause for chrome's obesity. Chrome extensions have a content script, a script that is loaded on each tab, and a background page which exists in memory only in one place. Each have different capabilities and serve different purposes.

Content scripts, being loaded on every tab, should mostly be handling presentation and passing messages to the background to do processing. This isn’t always the case. Large scripts being loaded on each tab add up to huge amounts of memory quickly, especially when you install a lot of extensions. Here's an example of my Chrome Memory Usage with 5 tabs open.

Browser obesity is not a danger though. It is only a pet peeve. The real danger lies with the extension eco-system. The level of privilege a content script has to maliciously siphon user data is astonishing. Attackers know this.

That is an image of an email I received from somebody who was negotiating with me to buy a Chrome Extension that I wrote and published, which has about 10k users. They offered me $300 after I negotiated with him (I did not sell my extension, I just like to negotiate). I've received about 5-10 simimlar offers. Chrome extensions update magically behind the scenes. People who buy (or scam) extensions from developers will then repackage the extension with malware and instantly push that out to their users. What exactly can these bad extension do, though?

Chrome extensions are infinitely scary. The content script and the background page each presents separate security and privacy concerns. The goal of the malicious content script is to monitor user actions. Passwords entered into input fields can be stolen, emails can be read, financial information gobbled up. An evil content script could scrape the content of each page you visit and send it to a remote server. The below exerpt of a manifest.json file makes it all too easy to access all the information on every page that loads.

   "content_scripts": [ {
      "all_frames": true,
      "js": [ "content_script.js" ],
      "matches": [ "" ],
      "run_at": "document_end"
   } ],

The background page has access to separate Chrome APIs but privacy dangers still exist. Background pages can downgrade all your requests to http from https, like in the code snippet below. It can do a lot of other evil things too like save all accessed URLs. This requires special permissions, but most extensions all have the "Access all data on every page, permission"

chrome.webRequest.onBeforeRequest.addListener(
  function(details) {
    if (details.url === "https://example.com/") {
            return {redirectUrl: "http://example.com/"};
    }
    return {cancel: false};
  },
  {urls: [""]},
  ["blocking"]);
Once an attacker has javascript running there is no web security mechanism to prevent any data they access from being exfiltrated. WebSec savvy readers might be thinking that Content Security Policy will stop this. It won't. Chrome Content Scripts live in a separate world which makes a web-page's CSP rules ineffective.


Phishing

This is going to be short. Phishing is probably the least interesting topic in computer security. Not because it isn't effective but because it isn't a technical problem and it can't be patched. Training is required to recognize bad phishing attempts and even experienced infosec professionals can mistake good phishing attempts. All software can be impersonated by phishing. This is because companies are not there to slap the hands of phishers as they use company logos. (People who phish are probably going to follow your brand guidelines, so lighten up).

No matter what the architecture of the software the users can be phished. Several people on twitter today expressed that software architecture and not using the web "viewport" could save them from phishing attempts. Well. No.

Sign in to download from the App Store.

If you have an Apple ID, sign in with it here. If you have used the iTunes Store or iCloud, for example, you have an Apple ID. If you don't have an Apple ID, click Create Apple ID.


Just because something might happen outside the viewport, users don't know that. This is a operating system popup not a web-based one that I cloned for OS X. It looks pretty good and I only spent about 5 minutes on it. How much more attention to detail could I have to make this even better? Here's what the real one looks like. No popup or viewport is sacred. Phishing is boring because it is the oldest trick in the book. It still continues to work and it will continue to work until the web is gone.

Recommendations

Phishing

There is a lot of information here. My recommendations are to know the signs that a popup is real. For example, my OS X popup will not move outside the browser window. Even then, it's a hard popup to recognized as fake, since it requires knowledge that Apple would never prompt you in a browsing context. It's not the software author's fault for being phishable. Everything is phishable so always be skeptical.

Browser Extensions

If you have any extensions you don't trust with your financial information, remove them. It's that simple. The extension ecosystem is scary and feels lawless. Extensions have a permissions model, but it isn't easy to understand like a mobile phone's permission model and extensions have very scary powers.



ejj, Jan 2016