A Chrome extension that intercepts all form submissions on all websites (opens in new tab)

(blog.asdfx.us)

47 pointsagjmills8y ago40 comments

40 comments

I changed the Chromium browser (as a masters project) to intercept suspicious extension actions like inserting elements etc and to alert users of what the extension is attempting to do. Using this proof-of-concept browser would have helped you debug your ad injection problem!

https://cypher.codes/writing/intercepting-suspicious-chrome-...

- Note: my project specifically tries to protect users from Facebook hijacking and ad injection attacks - the two most common attacks on the CWS!

bert_8y ago

Thanks for this! (Also, you have the coolest last name)

throwaway2016a8y ago

Related story...

I once worked on a price comparison plugin and Firefox is very strict about what your plugins are allowed to do. They review each one and have some strict rules: like you can't load and execute Javascript from the web.

Most of our competitors just sent every URL you visited to their server. We wanted to be better than that since that is an obvious privacy issue.

So we made all our plugins (IE, FF, Chrome) download a whitelist (regex array) of shopping domains our search engine supported and it would only make API calls to our server if it matched that list AND you were on a product page.

Had the added benefit of reducing our server load too.

The server still gets a list of every page you visit on eCommerce sites but better than on all sites.

JoshMnem8y ago

Which extensions send every URL you visit to remote servers?

throwaway2016a8y ago

Too many

1 more reply

fenwick678y ago

Not sure what the fuss is here, the permission is literally called "Read and change all your data on the websites that you visit". It should be obvious what it can do.

dmalvarado8y ago

Seems like there should be some additional protection in the extensions API, if there is not already. "Read and change all your data on the websites that you visit" vs. "And send it somewhere over the web" are two separate layers of permission.

Footnote: I can't visit the page. Blocked by corporate.

tyingq8y ago

Since extensions can inject arbitrary js, there isn't really a way to be that granular.

You could, for example, exfiltrate data by injecting an image tag with some extra url parameters on the url. Doesn't have to be xhr or websockets.

1 more reply

blibble8y ago

it's more the automatic silent updating that's the problem

people sell their high value extensions, then the new owners load them full of malware

chrome doesn't let you turn the updating off... I have previously resorted to removing update URL from the extension manifest manually...

siegecraft8y ago

Yes, this is the major issue. Authors also can sell their extension, then re-publish their own non-malwared version as an alternative, then just keep doing it over and over again.

I wrote some scripts to provide version pinning (just automates the manual editing of the manifests) but then you have to consider critical vulnerabilities in things like the LastPass extension where you absolutely want updates ASAP. So then you either have to have a curated extension list or maybe just separate extensions into "trusted" ie provided by reputable businesses as part of their product (lastpass, okta, etc) and "un-trusted." Even then, if the malware isn't in your face, you have no idea if the pinned version of your un-trusted extensions is actually non-malicious without auditing the code.

wheelerwj8y ago

the fuss isn't so much that the permission is labeled wrong. its that the permission exists and theres no middle ground. I was trying to install an extension for pinboard a few weeks ago and it asked for the same thing. so of course i didn't install it. but its pretty lame you can't limit the scope.

mrolla8y ago

My point exactly. Who would have thought that giving an extension permission to read and change all your data on website you visit would give the extension power to read and change all your data on website you visit.

wheelerwj8y ago

most people who understand sandboxing would sooner assume that its bad copy text rather than believe google would allow literally anything anywhere.

1 more reply

paulpauper8y ago

Read is not the same as send to external server. this is a big deal. it makes phishing incredibly easy and impossible to detect.

The ability of extensions to log form data to external servers allows for massive potential abuse. Not sure why Google would allow it. I imagine millions of logins have been stolen this way.

thinkcontext8y ago

Most extensions of any usefulness require these 2 permissions. How else would something like adblocking or a login manager work?

1 more reply

paulpauper8y ago

I only heard about this a few week ago and I thought I was up-do-date on internet security. It may be obvious to others, I had no idea an extnetion could do this. This means it can steal you login like phishing but without a spoof URL. I now disable all extensions when logging into important websites

DougBTX8y ago

Another thing you could do is use incognito mode, which disables extensions by default.

http://www.tomsguide.com/faq/id-2384484/enable-disable-chrom...

paulpauper8y ago

the problem with incognito is that it does not always clear the cookies when you close it

thinkcontext8y ago

Did you report the malicious extension? Its still available from the Chrome store.

AznHisoka8y ago

This is not new. In fact, I'd estimate 20% of all popular plugins know all the websites you're visited, Google searches you're doing, etc: https://www.howtogeek.com/180175/warning-your-browser-extens...

It's how SimilarWeb and other clickstream companies get their data. They claim it's harmless, but they have the ability to know everything you've inputted, and all the secure URL's you've visited (aka that intranet page with all your company salaries or passwords that you think nobody on the web knows about)

zulln8y ago

"Chrome Extensions - AKA Total Absence of Privacy" Detectify's blog post about the subject, mentions Similar web as well.

https://labs.detectify.com/2015/11/19/chrome-extensions-aka-...

whiskeySix8y ago

So malware. You wrote some malware.

vesrah8y ago

I think you mean development tool.

myinitialsaretk8y ago

Great demonstration. You could probably just as easily listen for blur on form fields and be even more dangerous.

codedokode8y ago

I never install browser extensions because it is difficult to check what they are doing and many of them require access to all sites. Users should check who wrote the extension and whether they trust the author.

thereIsCon8y ago

That's why I login into my bank or other important accounts in incongnito mode, where, I make sure extensions stay disabled.

paulpauper8y ago

Does not work for blockchain.info but does for reddit, hackernews, and facebook

j / k navigate · click thread line to collapse

40 comments

mikeecb8y ago

https://cypher.codes/writing/intercepting-suspicious-chrome-...

- Note: my project specifically tries to protect users from Facebook hijacking and ad injection attacks - the two most common attacks on the CWS!

bert_8y ago

Thanks for this! (Also, you have the coolest last name)

throwaway2016a8y ago

Related story...

Most of our competitors just sent every URL you visited to their server. We wanted to be better than that since that is an obvious privacy issue.

Had the added benefit of reducing our server load too.

The server still gets a list of every page you visit on eCommerce sites but better than on all sites.

JoshMnem8y ago

Which extensions send every URL you visit to remote servers?

throwaway2016a8y ago

Too many

1 more reply

fenwick678y ago

Not sure what the fuss is here, the permission is literally called "Read and change all your data on the websites that you visit". It should be obvious what it can do.

dmalvarado8y ago

Footnote: I can't visit the page. Blocked by corporate.

tyingq8y ago

Since extensions can inject arbitrary js, there isn't really a way to be that granular.

You could, for example, exfiltrate data by injecting an image tag with some extra url parameters on the url. Doesn't have to be xhr or websockets.

1 more reply

blibble8y ago

it's more the automatic silent updating that's the problem

people sell their high value extensions, then the new owners load them full of malware

chrome doesn't let you turn the updating off... I have previously resorted to removing update URL from the extension manifest manually...

siegecraft8y ago

Yes, this is the major issue. Authors also can sell their extension, then re-publish their own non-malwared version as an alternative, then just keep doing it over and over again.

wheelerwj8y ago

mrolla8y ago

wheelerwj8y ago

most people who understand sandboxing would sooner assume that its bad copy text rather than believe google would allow literally anything anywhere.

1 more reply

paulpauper8y ago

Read is not the same as send to external server. this is a big deal. it makes phishing incredibly easy and impossible to detect.

The ability of extensions to log form data to external servers allows for massive potential abuse. Not sure why Google would allow it. I imagine millions of logins have been stolen this way.

thinkcontext8y ago

Most extensions of any usefulness require these 2 permissions. How else would something like adblocking or a login manager work?

1 more reply

paulpauper8y ago

DougBTX8y ago

Another thing you could do is use incognito mode, which disables extensions by default.

http://www.tomsguide.com/faq/id-2384484/enable-disable-chrom...

paulpauper8y ago

the problem with incognito is that it does not always clear the cookies when you close it

thinkcontext8y ago

Did you report the malicious extension? Its still available from the Chrome store.

AznHisoka8y ago

zulln8y ago

"Chrome Extensions - AKA Total Absence of Privacy" Detectify's blog post about the subject, mentions Similar web as well.

https://labs.detectify.com/2015/11/19/chrome-extensions-aka-...

whiskeySix8y ago

So malware. You wrote some malware.

vesrah8y ago

I think you mean development tool.

myinitialsaretk8y ago

Great demonstration. You could probably just as easily listen for blur on form fields and be even more dangerous.

codedokode8y ago

thereIsCon8y ago

That's why I login into my bank or other important accounts in incongnito mode, where, I make sure extensions stay disabled.

paulpauper8y ago

Does not work for blockchain.info but does for reddit, hackernews, and facebook

j / k navigate · click thread line to collapse