Chrome is the gateway to interact with the Internet worlds.
People trust their browser, Extended Validation SSL, bank’s website, Windows, Mac, ISP… but the third party extension could to many dangerous without any notice to user.
Hacker could control everything behave of user just using an extension.
Ultimate permission of Extension.
Look at this permission, is it dangerous?
Extension could see what user’s seeing, know what user entering… And create a completely fake webpage with this permission. It’s called Javascript Injection attack.
Demonstration
An online banking service with SMS OTP verification for online money transfer.
Simple POC using javascript and inject via an Chrome’s extension.
Fake fields are inserted into the HTML, real input with hacker’s account number fields are hidden.
SMS OTP is by-passed because of no destination account in the SMS content.
The OTP was used for another transaction.
Recommendation?
Users:
If you don’t know anything. Don’t install any plugin/extension or software that install a extension.
If you are advance user, using web browser incognito mode or anther browser with no plugin enabled for bank transaction. We can trust no-one in the Chrome Extension Web Store.
Bank:
Add destination account to the OTP.
OTP token hardware with transaction signing
Google Chrome:
More secure permission system.
Ask permission to edit HTML content for each website.
say Linux! 