Chrome (browser) Extension might hack your bank

Chrome and Extension

  • Chrome is the gateway to interact with the Internet worlds.
  • People trust their browser, Extended Validation SSL, bank’s website, Windows, Mac, ISP… but the third party extension could to many dangerous without any notice to user.
  • Hacker could control everything behave of user just using an extension.

Ultimate permission of Extension.

  • Look at this permission, is it dangerous?Screen Shot 2017-06-24 at 10.19.40 PM
  • Extension could see what user’s seeing, know what user entering… And create a completely fake webpage with this permission.  It’s called Javascript Injection attack.


  • An online banking service with SMS OTP verification for online money transfer.
  • Simple POC using javascript and inject via an Chrome’s extension.

Screen Shot 2017-06-24 at 10.12.41 PM.png

  • Fake fields are inserted into the HTML, real input with hacker’s account number fields are hidden.
  • SMS OTP is by-passed because of no destination account in the SMS content.

  • The OTP was used for another transaction.



  • If you don’t know anything. Don’t install any plugin/extension or software that install a extension.
  • If you are advance user, using web browser incognito mode or anther browser with no plugin enabled for bank transaction. We can trust no-one in the Chrome Extension Web Store.


  • Add destination account to the OTP.
  • OTP token hardware with transaction signing


Google Chrome:

  • More secure permission system.
  • Ask permission to edit HTML content for each website.






Trả lời

Điền thông tin vào ô dưới đây hoặc nhấn vào một biểu tượng để đăng nhập: Logo

Bạn đang bình luận bằng tài khoản Đăng xuất /  Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Đăng xuất /  Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Đăng xuất /  Thay đổi )

Connecting to %s