Search This Blog

This New Tool Helps in Detecting Vulnerable Chrome Extensions

Malicious extensions represent only a fraction of the extensions that present security and privacy concerns, as per the researchers.

 

The researchers from CISPA Helmholtz Center for Information Security in Germany have built tools to assist in identifying Chrome extensions that are vulnerable to exploitation by malicious web pages and other extensions. 

Google revealed plans to revamp its browser extension platform in 2018 in order to make it more safe. Chrome extensions had vast rights under its prior platform regulations, known as Manifest v2, which could be easily abused. Many crooks have taken use of these powers. Google, for example, eliminated over 500 harmful extensions in February 2020. That was a month after Google barred new extensions from its Chrome Web Store in order to combat payment fraud. 

Along with its attempts to tidy up the Chrome Web Store, Google has been working on Manifest v3, a redesigned set of extension APIs that offer less features, at the cost of content blocking and privacy tools, but with reduced security and privacy risks. In January 2021, Google began accepting Manifest v3 extensions for evaluation. However, its most recent extensions are not without flaws, and earlier Manifest v2 extensions still continue to circulate.

CISPA Helmholtz boffins Aurore Fass, Dolière Francis Somé, Michael Backes, and Ben Stock took it upon themselves to create a tool termed DoubleX to assist in coping with the problem. They highlight their research in the paper termed "DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale," which is published in the Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, which will be held next week in South Korea. 

They stated that malicious extensions are only a small part of the extensions that cause security and privacy issues. Furthermore, benign extensions may include vulnerable code that may be abused by other extensions installed by the user. DoubleX is on the lookout for extensions that aren't harmful but can be exploited. 

DoubleX is a open-source static analyzer that detects potentially dangerous data flows. In other words, it doesn't simply hunt for malicious extensions; it also looks for exploitable data pathways. 

 How might these flaws be exploited?

According to the researchers, the presence of an eval function indicates that an attacker might possibly exploit the permissions of the vulnerable extension. When DoubleX was fed a considerable number of Chrome apps, it did discover some issues, but they were comparatively less. 

The paper stated, "We analyzed 154,484 Chrome extensions, 278 of which we flagged as having externally controllable data flows or exfiltrating sensitive user information. For those, we could verify that 89 per cent of the data flows can be influenced by an attacker, which highlights DoubleX precision." 

"In addition, we detected 184 extensions (with 209 vulnerabilities) that are exploitable under our threat model, leading to, e.g., arbitrary code execution in any website." 

Around 2.4 million to 2.9 million people are affected by these 184 extensions, with 172 vulnerable to a web attacker and 12 vulnerable through another unprivileged extension. The researchers claim they duly notified their results to developers if they could discover contact information, and to Google in other cases, from October 2020 to May 2021. According to them, 45 of the 48 vulnerable extensions discovered were still available in the Chrome Web Store as of July 2021. 

The paper stated, "Of those, 13 have been updated since our disclosure, but only five have been fixed (300k+ users, 50k+ users, 3k+ users, 2k+ users, and 35 users)."
Share it:

Chrome Extension

Cyber Security

Detection Tool

Google

Mallicious URLs