qertstars.blogg.se - Postman plugin

In fact, the container extension might even have a legitimate need for the permissions that enable malicious behavior. Backdoors can be embedded within an extension that solves a legitimate problem for a targeted high-value audience, such as corporate developers.HTTP Capture - capturing all requests and responses made by any tab or extension, including headers and bodies, regardless of whether or not the request is TLS encrypted through Chrome APIs.Form Capture - capturing the final contents of any form before it is submitted to the server through Event and DOM APIs.Input Capture - capturing keystrokes on any tab through Event APIs.DOM Capture - capturing the HTML content of any tab through DOM APIs.Extensions are capable of targeting and exfiltrating highly-sensitive information (such as credit card numbers, SSNs, session cookies, API keys, usernames, passwords, emails, etc.) through a variety of APIs:.Our detections are able to catch a large number of these types of attacks.Įxfiltration attacks through extensions are particularly compelling for attackers because they create the following risks: Part of my job requires that I spend time learning about these risks to continue to strengthen our detection service as new threats emerge.

Even Google services (such as Gmail) were vulnerable:īased on these findings, it's clear that Chrome extensions pose a genuinely high security risk. TestingĪll my credentials were captured by the keystroke logger and the form grabber. I also coded a quick web interface for my control server that could display the data in real-time as it was captured by my extension.

All request bodies (including API keys, passwords, etc.).

All request headers (including cookies, API keys, session IDs, etc.).

All form data (including passwords, emails, etc.).

In roughly 200 lines of code, and with fewer permissions than the malicious Postman extension, I created an extension that was capable of exfiltrating all of the following data to an external websocket endpoint in real time:

A control server which receives collected data.

Batch captured data and transmit it to the background page through IPC.

A script injected into each tab that performs the following tasks:.

Event handlers for IPC messages sent by injected scripts.

Event handlers for web requests and responses (such as headers, bodies).Injecting a malicious script into every tab.Batching and exfiltrating data through a TLS websocket.An always-running background page that handles the following tasks:.I designed my malware with the following components: How much damage could a sophisticated attacker with cybersecurity knowledge do? Well, I set off to write my own Chrome malware. And why go to this effort at all to only steal URLs? Their control server was unable to handle the influx of traffic from 25K users, which resulted in frequent retransmission timeouts and widely varying response times. While the attacker hid their malicious code, it was a half-hearted effort. In particular, TLS encryption would have slowed our investigation by obscuring the connection between the traffic and the Chrome extension. The attack was initiated from a direct IP connection over a nonstandard port with no TLS encryption. As we resolved the attack on our network ( read about my investigation into malware posing as a Chrome Extension), I thought about how sloppy the attack was and how easily we'd discovered the intrusion.