Several weeks ago, all security researchers failed to crack Google's Chrome OS at CanSecWest Pwnium3 in Vancouver, even the deadline extended from 2pm to 5pm due to researchers' request. But, unfortunately, the Chrome browser was compromised by MWR Labs at Pwn2Own 2013 which sponsored by HP and Google. This contest proves that Google Chrome was vulnerable.
Following is our analysis for chrome browser security:
Chrome browser was developed by Google and now is one of the most popular web browser in the world. It includes Google search, youtube and many Google proprietary services. In personalization, Chrome web store provides abounding extensions to modify and enhance the functionality of the Chrome browser.
Extensions are small software programs and bundle all their files (manifest.json, picture, js and CSS...) into a single file that the user downloads and installs. This bundling means that, unlike ordinary web apps, extensions don't need to depend on content from the web.
manifest.json provides important information including name, description, version, language and permission...
The following code shows the supported manifest fields. (http://developer.chrome.com/extensions/manifest.html )
The only fields that are always required are name and version. Here we take content_scripts, permissions and update_url to explain the attribute and function as following:
update_url: Setting URL for update checking
permissions: To use most chrome.* APIs and extension capabilities, your extension must declare its intent in the manifest, often in the "permissions" field. For example, Google mail Checker mush have 2 permissions as following:
1. access your data on *google.com
2. access your tabs and browsing activity
An user might see a dialog for permission request when installing an extension. If the permission improperlyassigned and content_scripts include malicious code, the extension can do anything to your system.
Chrome browser adds extension function from version 4.0. The extension was easy to develop, but also easy to exploit. Old version of google Chrome permits related extensions auto setup when Windows application installing. It is easy to install malicious extensions to victim's system without user permission.
So, google chrome enhances extension management from ver 25.0. Only extensions from Chrome Web Store are available and no more auto installation. Every extension must be permitted by user before installation. However, there can be no assurance that all extensions in Chrome Web Store are secure.
On faceook, the attacker pretends to be victim's friend which shares attractive themes to lure victims to click the hyper link and install malicious extension. Then the victim will post many malicious link to his friends. So the malicious extensions spread constantly by victim's curiosity. The victim misunderstood his account was stolen and changed password, but it was not workable. The victim has to remove malicious extension from chrome browser.
For more detail scenario, please refer to our previous post:
Web browser plug-ins are additional pieces of software that add extra capabilities to your web browser, such as the ability to view movies, run Java applets, or see Flash animations. Unfortunately, since plug-ins run with all the privileges of real applications, they can do absolutely anything to your computer. The year past, so many 0-day vulnerabilities were reported in Java and many security experts strongly recommend disabling it.
As seen from the above analysis, the Extensions and Plug-ins are two vulnerable points in Chrome browser. For Chrome more secure, Google Web Store should inspect all extensions strictly, moreover, we would like to remind our customer:
1.Do not install any extensions from untrusted resource.
2.Notice that permission request is normal or not when extension installing.
3.Do not install unnecessary plug-ins as possible. If your have any plug-in installed, keep up to date.
Following previous post, we have found some malicious extensions in Chrome browser to turn Likes into real results on Facebook.
Once you click the malicious links embedded in spam mail, messages or any hyperlinks, and download the extensions, the malware monitor your browser activity. If you are logged into Facebook with Chrome browser, it will GET hxxp://goo.gl/iiWeL? (also hxxp://fastotolike.com/yeni.php!)
The content of son.js in extension as following:
There two functions abone and sayfa2 in "hxxp://fastotolike.com/yeni.php", the partial content as below:
The function abone is tracking someone:
The function sayfa2 is turning Likes for someone:
Why did malwares turn Likes on Facebook? As we know, "On underground forums in Russia, a page with 100,000 likes sells for about $150 to $200", a security researcher said. Yes, for the money obviously.
For your internet browsing security and prevent malicious connection, we urge our customer to keep WebGuard signature up to date.
An Indian security researcher Shubham Upadhyay aka Cyb3R_Shubh4M, reported a new permanent XSS affecting the products listings on eBay.com.
AegisLab also test again immediately, so far, this vulnerability is currently unfixed!!
Here is the page with XSS injection code:
For this flaw, you need a eBay seller account, login to your account on eBay and create a listing for sale. Then put XSS code into HTML.
The news of XSS vulnerabilities is nothing new, but still so dangerous. What are the threats of XSS? Everything from account hijacking, shopping, payment, changing of user settings, cookie theft/poisoning, or false advertising is possible.