DEF CON 32 - Sneaky Extensions The MV3 Escape Artists - Vivek Ramachandran, Shourya Pratap Singh

DEFCONConference

16 Oct 202420:31

Summary

TLDRIn this talk, cybersecurity experts VI Ramachandran and SH from SquareX highlight the hidden dangers of browser extensions. They explore how extensions can be exploited to create backdoors, steal data, and hijack accounts without users noticing. Through live demonstrations, they showcase malicious extension behaviors such as silently intercepting video calls, injecting malicious code, and overriding password managers. The session emphasizes the lack of security checks on extensions, even those from the Chrome Store, and the growing threat of supply chain attacks, urging users to be more cautious about the extensions they install.

Takeaways

😀 Extensions can be dangerous: Even trusted browser extensions can serve as backdoors for cyber-attacks, allowing attackers to compromise systems, steal data, and exploit vulnerabilities.
😀 Users rarely read permissions: Many extensions request broad access (e.g., 'all URLs') without users fully understanding the risks of granting such permissions.
😀 Manifest V3 is a step forward: The transition to Manifest V3 improves extension security by providing clearer permissions, but vulnerabilities can still exist.
😀 Extensions can modify web pages: Malicious content scripts can modify the appearance of web pages, injecting unauthorized content without explicit user consent.
😀 Remote code execution is a threat: Extensions can load and execute code from remote servers, bypassing content security policies (CSP) to inject malicious scripts into web pages.
😀 Social engineering with extensions: Extensions can impersonate legitimate updates (e.g., fake Zoom updates) to trick users into downloading malicious files.
😀 Live video call monitoring: Malicious extensions can silently intercept live video calls on platforms like Google Meet and Zoom, stealing video and audio feeds without any indication to the user.
😀 Account hijacking via extensions: Extensions with high privileges can silently log into accounts (e.g., GitHub), making unauthorized changes such as adding collaborators to private repositories.
😀 Password manager manipulation: Malicious extensions can interfere with password managers, tricking users into submitting their credentials to fake login pages.
😀 Extension vulnerabilities in the Chrome Web Store: Popular extensions with millions of downloads can be hijacked or bought out by attackers, introducing new security risks and supply chain attacks.

Q & A

What is the main focus of the talk?
-The talk focuses on the security risks posed by browser extensions, particularly the ways they can be exploited as backdoors for cyberattacks. It also includes a demonstration of a malicious extension that can intercept live calls on platforms like Google Meet and Zoom.
What is the role of browser extensions in cybersecurity attacks?
-Browser extensions can serve as entry points for attackers to inject malicious code, steal data, or perform unauthorized actions within web pages. Extensions can run in the background, gaining access to sensitive information without the user's knowledge.
What is the most dangerous permission commonly requested by extensions?
-The 'all URLs' permission is one of the most dangerous, as it allows extensions to access and modify any webpage the user visits. This broad access poses significant security risks if misused.
How do content scripts in extensions work?
-Content scripts are JavaScript files injected into web pages by the extension. They can modify the content of the page, even without explicit permissions, if the extension is configured to run on specific URLs.
What are some of the most common vulnerabilities in browser extensions?
-Vulnerabilities include excessive permissions, unmonitored remote code execution, and the ability to bypass security policies like Content Security Policy (CSP). Attackers can exploit these vulnerabilities to inject malicious scripts or steal data.
How does the manifest file help with extension security?
-The manifest file outlines the permissions that an extension requests, helping to define what the extension can access. However, if misconfigured, it can still present security risks, especially with broad permissions like 'all URLs.'
What is the MV3 version, and how does it improve security?
-MV3 (Manifest Version 3) introduces stricter security measures, such as disallowing dangerous functions like 'eval' and enforcing content security policies. It helps to reduce the risk of remote code execution and improves the overall integrity of the extension environment.
How can a malicious extension hijack a user's online accounts?
-A malicious extension can use its elevated privileges to silently log in to a user's account, such as a GitHub account, and make unauthorized changes, such as adding collaborators to a private repository. This can happen without the user noticing any suspicious activity.
What are the potential dangers of using browser extensions in video conferencing apps like Google Meet and Zoom?
-Malicious extensions can intercept and capture live video or audio calls on platforms like Google Meet and Zoom, all while remaining undetected by the user. This could allow attackers to monitor and steal sensitive information from meetings.
How do attackers exploit the trust users place in browser extensions?
-Attackers often exploit the trust users place in browser extensions by offering seemingly harmless or useful tools that actually contain hidden malicious functions. Once installed, these extensions can collect data, steal credentials, or even take control of online accounts and sessions.