Friday, July 9, 2010
Stealing login details with a Google Chrome extension
In this post I will demonstrate a proof of concept of how an attacker can steal usernames and passwords via a Google Chrome Extension.


The Google Chrome browser allows the installation of third-party extensions that are used to extend the browser to add new features. The extensions are written in JavaScript and HTML and allow manipulation of the DOM, amongst other features.

By allowing access to the DOM, an attacker can thus read form fields...including username and password fields. This is what sparked my idea of creating this PoC.



The extension I present here is very simple. Whenever a user submits a form, it tries to capture the username and password fields, sends me an email via an Ajax call to a script with these login details along with the url and then proceeds to submit the form normally as to avoid detection.

This simple procedure has been successful against Gmail, Facebook, Twitter and other major websites.

http://blog.dreasgrech.com/2010/07/s...th-google.html

Yeah, never gonna be patched though, too limiting. This is why Chrome warns you about what sites the extension wants permission to.
After all, the one unpatchable security hole is human stupidity.

I assume that extensions that are on the official Google site are vetted and that the concern/PoC is relevant to unofficial extensions, that is, if the screeners at Google do a good job.

I don't know whether what I'm asking makes sense but here goes... Since javascript and html are relatively easy to look at, can there be a sort of parser for idiots that could look at a script or html code and summarise the activity even in broad terms.

Waha wrote:

This is why Chrome warns you about what sites the extension wants permission to

From the few extensions I used, it appears that the warning is very general to the effect that the extension requires total access to your computer. That causes a lot of people to freak out!

(I guess even ordinary users with a little experience can spot a dodgy url if they know where to look in the unzipped extension.)

in edit:
I just looked that the code provided in the OP's message and I have a newbie question:
nowhere in the code is the author's e-mail address mentioned, even fictionally. The closest that one gets is "SendMail". So how can the browser convey our details to the author?

I assume that extensions that are on the official Google site are vetted and that the concern/PoC is relevant to unofficial extensions, that is, if the screeners at Google do a good job.

From my understanding they only actually review things that use the file:// protocol or a plugin, other stuff just gets put on straight away.

I don't know whether what I'm asking makes sense but here goes... Since javascript and html are relatively easy to look at, can there be a sort of parser for idiots that could look at a script or html code and summarise the activity even in broad terms.

This would take a huge amount of work trying to cater for all the different ways this could be done and a nasty could hide their activities as well if there was such a thing. Youd basically need an antivirus like thing and it would take alot to do.

From the few extensions I used, it appears that the warning is very general to the effect that the extension requires total access to your computer. That causes a lot of people to freak out!

Yeah, you either freak out and dont install it or you just get so used to it you end up saying yes to everything.
The best defense you have against this sort of thing is other users and the comment section of the extension page. There would be alot of users like me that look at the code of almost everything they install. I look at code for something to do and if I noticed something odd like sending an ajax when it didnt need to Id post a comment and so would others. One of the big reasons I love chrome so much is because of how easy their extension system is, unlike firefox which can confuse the hell out of me chromes extensions are easy to read.
in edit:

I just looked that the code provided in the OP's message and I have a newbie question:
nowhere in the code is the author's e-mail address mentioned, even fictionally. The closest that one gets is "SendMail". So how can the browser convey our details to the author?

The SendMail sends the information to a server that then sends an email to him.

Originally Posted by PAEz

...The best defense you have against this sort of thing is other users and the comment section of the extension page...

That is true and the easiest for us end-users.

Personally prior to this proof of concept of what i have posted, i just find that google chrome browser shall has a master password manager just like firefox.I dislike google chorum lacking of this security feature.Indeed installing a proper extension has been never been an easy just as firefox has even reported their own addon got a trojan in which they has missed.

http://www.zdnet.com/blog/hardware/u...ojan-code/7171

The best security is zero extension / addon.

The best security is zero extension / addon.

Which is why chrome has incognito mode and extensions are not enabled in this mode by default. If you want an extension to run in incognito mode you have to explicitly enable it too on the extensions page.
So the utterly paranoid are still best off in Chrome.

chrome still could give a seperate set of permissions, to record, the name, and password fields, along with certain other fields (creditcard cough), or even prompt when the reading of secure happens (allowing chrome to stop the extension in its tracks, or allow it to carry on)

chrome still could give a seperate set of permissions, to record, the name, and password fields, along with certain other fields (creditcard cough

Name and credit card might be a hassle, but password elements are distinct and so they could do a permission for that for sure....would make sense....plus maybe restrict the reading of input elements on https pages

Apparently, something similar has been yanked from the official Mozilla site:
http://blog.mozilla.com/addons/2010/...-announcement/
The actual author of the PoC in the original post in this thread has appended a comment on that blog.