Security researchers have detected four malicious extensions on the Google Chrome browser recently. Before it was taken down, the extensions attracted some half-a-million active users.
The extensions have been identified by analytics firm ICEBRG as Change HTTP Request Header, Lite Bookmark, Stickies, and Nyoogle. ICEBRG said the four were likely employed for a click-fraud scam operation with the clear purpose of generating revenues.
Google and other stakeholders have been notified by ICEBRG on the matter, and as of writing, Change HTTP Request Header, Lite Bookmark, and Stickies have been kicked out from the Chrome Web Store. Nyoogle remains available to download, but Google has yet to issue a statement on the apparent oversight.
Chrome A Natural Target Of Malware Attacks
Google Chrome dominates the global web browser usage, which makes it a default favorite of cyberattacks. While the browser is known for its vaunted security features, mainly for its security sandbox and quick deployment of vulnerability patches, malware authors seem to always find an ingenious workaround to crack the protective shell put up by Google.
It appears exploit actors are tapping holes that exist on the Chrome Web Store to penetrate Google's security protocols implemented on its web browser. The attackers' latest weapon, it turned out, is a loaded browser extension.
Using the tactic is quite effective, as malware authors take advantage of the system, which seemingly enjoys robust security, that governs the use of browser extensions found on the Chrome Web Store, according to ICEBRG.
"In this case, the inherent trust of third-party Google extensions, and accepted risk of user control over these extensions, allowed an expansive fraud campaign to succeed. In the hands of a sophisticated threat actor, the same tool and technique could have enabled a beachhead into target networks," the security firm said on its comprehensive report.
The threat implications are high and true for both the average consumers and enterprise users, ICEBRG warned.
Exploiting The Hole
To highlight the seriousness of the detected threat, which, in theory, managed to expose the system of some 500,000 Chrome users, the security firm offered a brief description on how the weaponized extension works out.
"By design, Chrome's JavaScript engine evaluates (executes) JavaScript code contained within JSON. Due to security concerns, Chrome prevents the ability to retrieve JSON from an external source by extensions, which must explicitly request its use via the Content Security Policy (CSP)," ICEBRG said.
"When an extension does enable the 'unsafe-eval' permission to perform such actions, it may retrieve and process JSON from an externally-controlled server. This creates a scenario in which the extension author could inject and execute arbitrary JavaScript code anytime the update server receives a request."
The latest incident should convince Google Chrome users to keep a safe distance from browser extensions, specifically those coming from third-party providers, vetted or not by Google's web security processes.