Shopper or shoplifter: The browser attack surface Part 2


Last year researcher Bosko Stankovic found a way to exploit an older and essentially outdated file extension called .scf. Ever heard of it? Me neither.

It’s like an early predecessor of the .lnk shortcut link. If you’re security savvy, you may recall the Stuxnet breach which attempted to destroy Iran’s nuclear program. This was done through powerful malware which got into the system via a malicious .lnk file. Yes, a malicious shortcut file. Crazy, isn’t it?

Stankovic found that because Chrome will download known safe file types without asking, it will download a .scf file. You may think that you still need to run malicious files, right? What’s even more exciting about this is that… well you know when you visit a folder in explorer and it creates cool little icons for each file?

A .scf file can specify the location of that icon which means without executing anything Explorer will go to the location to find it and that location doesn’t have to be on your computer. It can be remote. If the remote computer pretends to be an SMB server, the Server Message Block (SMB) protocol works will initiate the NTLM (NT Lan Manager) challenge/response authentication mechanism.

Stankovic proved that this allows a remote agent to capture the windows credentials which could be used for all sorts of nasty ends.

Let’s consider for a moment browser extensions

Do you use any?

In Firefox, I used to have one called DownloadThemAll. In Chrome I have a few like Adobe Acrobat, Cisco Webex, and Evernote Clipper. You might have Chrome extensions and not even realise it. It’s a worth a check. In Chrome, under the vertical (…) on the far right, navigate to “more tools” and “extensions.” Make sure you recognise everything there. Be sure when you add an extension that you are happy with the privileges you give it.  It can even be worth removing and re-adding an extension to see what it asks for if you’ve had it for a while and can’t remember what you agreed to upon installing it.

Check permissions an extension asks for

Check permissions an extension asks for

Chrome extensions are also largely written in our old friend JavaScript.

For a recent example of what’s possible, in February 2018, a company called TextHelp had their BrowseAloud plugin (plugin = extension) hacked, so that anyone using it (more than 5,000 websites) ended up running some malware/crypto-jacking software known as Coinhive. Coinhive takes advantage of the processing power of a your computer or device to mine the cryptocurrency Monero.

What was interesting about that effort to mine currencies on behalf of the bad guys is that, technically you don’t really have to hack anything to make that happen. 

Also, consider that anyone can write an extension for Chrome or Firefox and make it available. It’s worth noting that a bit more like Apple, Chrome only downloads extensions from its own store which could be considered much safer. However, very much like some of the applications available in the Google Play store for Android phones aren’t actually safe or well-intended, the same goes for browser extensions.

While writing a new malicious extension is possible, getting it into the store could reveal some much desired anonymity. What seems to be a more typical route for extension hackers is to use that old classic, phishing emails, to try to compromise the developer group working on the extension or plugin to gain access to their Chrome Web Store. If they can gain those credentials, they can simply swap out a known trusted (there’s that word again) extension for a similar but different version with malicious intent.

Plugin breaches could have done so much more – Cue Blockchain

Let us think about what you can do with the power of distributed computing, which is all the rage with blockchain technologies at the moment. 

It is quite straight forward to use a compromised extension to inject a small section of Javascript code to orchestrate a distributed denial of service (DDoS) attack against a specified target web site using the browser power of 1000s of unknowing individuals. Early examples of distributed tech would be SETI. You know there was always a guy at your work helping out the intelligent life space cause.

There have been several extensions and web applications to do with cryptocurrencies which have been compromised to reroute cryptocurrency transactions via your online “hot” wallet to the bad guys wallet instead of your intended destination. A very recent one being the Black Wallet Stellar Lumen wallet application which had JavaScript injected to check and remove crypto.

Buyer Beware

The next chink in the browser armour (if you imagine armour made of lettuce or origami birds) is advertising or, malvertising as it’s come to be known.  Even simpler non web-app sites are allowing for remote advertising servers to inject advertising code which displays advertising onto their page. For high-profile and reputable websites, there is an opportunity to bypass firewalls and blacklists to undermine even the most cautious user.

In 2015, malvertising was responsible for the deployment of the CryptoWall Ransomware which took $1 million of ransom money by infecting over 600,000 computers.

Malvertising can inject code to exploit the user locally (like crypto-miners) or something to abuse the trust of the host site and lure you to a too-good-to-be-true offer on a remote malicious site.

One final (but not exhaustive) path to, yet again, getting a bit of unwanted javascript code running on your computer is to use something called a DOM XSS (Cross Site Scripting) defect. 

URLs for websites can have a ton of extra tokens and cookies that make it hard to understand. Sometimes there are simple parameters on the URL line like look a bit like ?language=French. That’s a good example because lots of sites are language specific.

Essentially, if the page you’re on doesn’t check a parameter before using it (i.e., sanitising input) you could change the word “French” to be some JavaScript that mines crypto currency or scans the page for personal information (and so on). 

I would hope we don’t have to worry about that as most modern sites are designed to avoid this vulnerability by sanitising inputs OR just avoiding URLS like this completely. I guarantee some older sites though are definitely not and it can be a fun afternoon surfing around to find some

Steve Giguere is a lead sales engineer at Synopsys
Image Credit: 377053 / Pixabay