this browser hack can steal everything

I work at a school district and teachers complain on why we don't let them install certain extensions or why they're blocked, this video explains it perfectly 😅

natanaelconcha

i can honestly say, while im glad i found this video and watched it to the end, i am exhausted at the lengths we the average person must go through just to have peace of mind when online. im at a point where i genuinely do not want to think about it anymore but i KNOW i cant afford to.

ortytoon

Moral of the story. Know what the Chrome management API is and *never* install an extension that needs it. Thanks for letting us know about this.

DogeDelivers

I am the developer of this extension which you saw in the article, Tbh I was surprised to see how problematic and undefined the permissions scope in manifest. I needed only management permission to turn off the original extension from pinned. Otherwise, there is only scripting required to inject the logout alarm that's it. Its mv3 and there isn't any industry level runtime analysis engine, most of them are response based

CEBARPITGUPTA

Part of the problem is Chrome (and all other browsers I've experienced with extensions) don't actually give the user full control. They ask for permission ONCE and then give the extension carte blanche. The user can't deny any single permission request they don't want, it's all or nothing. Same thing on phones for the most part. And this kind of paradigm is key to attacks like this, removing user control and conditioning them to just approve out of hand because otherwise the extension doesn't work. Imagine a world where extensions had to play by the user's rules, where you could deny permission to read your tabs unless you expressly give permission on a case-by-case basis, or deny permission to read bookmarks, location, etc. It's not a silver bullet, but it would certainly make things better for users and just a wee bit more cumbersome (error handling wise) for devs.
I believe one of those good security practices is about giving a service, app, user, etc. the absolute minimum required permissions and require elevation only when absolutely necessary. Ex. you don't cruise a linux system as root.

sanctionedforce

Also, an app/extension being removed from the store doesn't necessarily ensure that it's removed from a user's device or browser installation.

slycordinator

This is exactly why I keep all my passwords in a list written in sharpie marker on my arms and face.

ZerosAndTwos

When you pin your extensions, you can right-click on the icon -> manage extension -> site access and set it to specific sites or to be active on click. This can be done from the extensions page as well, but I assume most people will pin their interactive extensions. Works well for crypto wallet extensions and such. It's just a bit of extra control, especially that most of them have access to read all site data and maybe you don't need the extension X to be active when you're on the site Y.

jxggxr_dxv

Well now I have new nightmare fuel to process and will remove everything that isn’t needed from my browsers. That was a really horrifying yet cool demonstration though. Your recommendations are on point. Thank you for offering solutions and not just saying “Look at this new way to trick people!”.

sarahadkins

I have one extension for my password manager and would NEVER install any other extensions, especially in Chrome browser. The vetting/permissions/approval process of Chrome extensions is a joke.

mvz

I like how the Apple Passwords app does it. Instead of using the password to sign in to the extension, it lets the app generate an 6 digit one time password that you use to type into the extension.

lukchem

This is an excellent report! I'm glad I just stumbled upon your channel. One thing you mentioned near the end was not using one browser for everything. I would love it if you would cover recommendations for which browsers to use for what purpose, etc. I do switch browsers every couple of years or so, but it's never occurred to me to use different browsers for different purposes. Anyway, great stuff. Cheers!

thormusique

Ive always been worried about this sort of thing, good to know I wasnt paranoid.

jer

I like that you separated your closing key points into take aways for general individual users and those involved in commercial business. ☝️👏

Iron-Bridge

We had a user who kept downloading a malicious extension on his chrome browser in spite of it being removed by our EDR and being told to stop it. He had local admin on his laptop because he'd had been given it like 5 years ago before I implemented the policy to remove local admin from all users. I had the helpdesk take his laptop in the guise of a "refresh" where he complained he was unable to install stuff anymore which he complained about but we said it was in policy xxxx which he had signed and agreed to per our documentation.

eyesofnova

Earned the sub. Love the layout of this issue, and enjoyed your early research. Points directly to how your mind works -

comaOOO

Great video, and thanks for the info! I've been learning about cybersecurity stuff, and it's both mind boggling and exhausting how wide the attack surface of your typical user is: games, mods, utility software, open source projects, phishing/scams, now learning about browser extensions... honestly, the more i learn, the less I want to be on my phone/pc...

greatday

I had no idea this was possible. I’m going to uninstall every extension i don’t regularly use and trust. Great suggestion on use of browser profiles! Thank you!

jorjnagz

Holy crap! I actually watched that chrome OS hacking presentation that you did on the first ChromeOS!
I had no idea that was you? You look so different?
I'm pretty sure this is one of those spooky algorithm things? Cause I hadn't watched any of your other content before watching this video?
Seeing you on the clip literally gave me a flashback to sitting on a desk with a dismantled Toshiba Chrome Book with a locked book loader attempting to chainload tinycore efi and looking at schematics about what pin I needed to jump to allow it to boot into normal efi shell?
I remember that the inbuilt keyboard and trackpad became disabled in tinycore and I was researching about what hardware address to call in script before the efi shell?
Because I could read the sdcard slot from efi shell command line (no wite or execute permissions from the intentionally crippled efi shell) only the basics commands were executable but loading efi shell 2.0 from the command line would execute and it had a whole stack of models and fun stuff built in that could enable me to mount an image on the SD card and then boot that instead of the chrome OS?
When i realised the Chromebook was only worth $30 I kind of lost interest in upcycling a huge amount of ex student Chrome books?
At the time I had not acquired the skills of bus pirating (a skill I gained later to unlock encrypted devices) so dumping a chip and fingering it in the hex hole and writing back to chip That would have been much nicer that the idea of putting a physical switch on the side where the user would always need to press it to interrupt the boot process?
I gave up lol but I did look at your video and I wondered if there was a way to at least make a genie app that cleanese your Chromebook of bloatware?
The Chromebook is so locked down that your presentation video almost got me wondering if I could code up an extension? I like a challenge and to me at the time the Chromebook extensions felt somewhat like how old Gadgets market worked for Windows Gadgets all the languages, function calls, libraries etc html, css, JavaScript etc
So I was tempted? I had all these exploitable idea come flooding into my brain only for my enthusiasm to completely halt when I realised
that manifest 2.0 patched all my hacks.

jameshatton

okay, i subscribed cause of the awareness of this malicious extension ...

BeruangMadu-cu