Chrome and Extension
- Chrome is the gateway to interact with the Internet worlds.
- People trust their browser, Extended Validation SSL, bank’s website, Windows, Mac, ISP… but the third party extension could to many dangerous without any notice to user.
- Hacker could control everything behave of user just using an extension.
Ultimate permission of Extension.
- Look at this permission, is it dangerous?
- Extension could see what user’s seeing, know what user entering… And create a completely fake webpage with this permission. It’s called Javascript Injection attack.
Demonstration
- An online banking service with SMS OTP verification for online money transfer.
- Simple POC using javascript and inject via an Chrome’s extension.
- Fake fields are inserted into the HTML, real input with hacker’s account number fields are hidden.
- SMS OTP is by-passed because of no destination account in the SMS content.
- The OTP was used for another transaction.
Recommendation?
Users:
- If you don’t know anything. Don’t install any plugin/extension or software that install a extension.
- If you are advance user, using web browser incognito mode or anther browser with no plugin enabled for bank transaction. We can trust no-one in the Chrome Extension Web Store.
Bank:
- Add destination account to the OTP.
- OTP token hardware with transaction signing
Google Chrome:
- More secure permission system.
- Ask permission to edit HTML content for each website.