http://blog.kotowicz.net/2012/02/intro-to-chrome-addons-hacking.html
tldr; Webpages
can sometimes interact with Chrome addons and that might be dangerous, more on that later. Meanwhile, a warmup - trick to detect addons you have installed.
While all of us are used to http / https URI
Schemes, current web applications sometimes use other schemes including:
TOUGH QUESTIONS
Throughout the years, there have always been questions on how documents from these schemes are supposed to be isolated from each other (think of it like a 2nd order Same Origin Policy). Typical questions include:
- Can XMLHttpRequest from http:// document load a file:// URL? And the other way around?
- Can document from https:// load script from http://? Should we display SSL warning then?
- Can http:// document have an iframe with view-source: src?
- Can data: URI access the DOM of the calling http:// document?
- Can file:// URL access a file:// from upper directory (it's not
so obvious)
- What about:blank?
- How to handle 30x redirections to each of those schemes?
- What about passing Referer header across schemes?
- Can I window.open() across schemes? Would window.postMessage() work?
- and many, many more issues
In general, all this questions come down to:
- How should we isolate the schemes from each other?
- What information is allowed to leak between scheme boundaries?
Every single decision that has been made by browser vendors (or standard bodies) in those cases has consequences to security. There are differences in implementation, some of them very subtle.
And there are subtle vulnerabilities. Let me present
one example of such vulnerability.
MEET CHROME-EXTENSION://
Google Chrome addons are packaged pieces of HTML(5) + Javascript applications. They may:
- add buttons to the interface
- launch background tasks
- interact with pages you browse
- ...
All extension resources are loaded from dedicated chrome-extension:// URLs . Each extension has a global unique identifier. For example,
chrome-extension://oadboiipflhobonjjffjbfekfjcgkhco/help.html is URL representing
help.html page from
Google
Chrome to Phone (you can try it, if you have this extension enabled).
Extension
interact with web pages that you visit and have access to their DOM, but the Javascript execution
context is separated (they cannot call each other Javascript code - and for a good reason).
However even in this separation model there is still place for page <-> addon cooperation. Malicious HTTP pages might interact with addons in various ways. One simple example is addon enumeration.
FINDING YOUR ADDONS ONE BY ONE
With a little Javascript code I can easily test if you're using a certain Chrome addon. Give me a
list of
most popular extensions and I'll test all of them in milliseconds. Why would I want that as an attacker?
- to fingerprint your browser (ad networks love this)
- to start attack against a certain known vulnerable addon (wait for the next post for this ;) )
See demo of
Chrome addons fingerprinting. (src
here)
HOW?
The trick is dead simple:
|
1
2
3
4
5
6
7
8
|
var
detect = function(base,
if_installed, if_not_installed) {
var
s = document.createElement('script');
s.onerror
= if_not_installed;
s.onload
= if_installed;
document.body.appendChild(s);
s.src
= base + '/manifest.json';
}
detect('chrome-extension://'
+ addon_id_youre_after, function()
{alert('boom!');});
|
Every addon has a
manifest.json file. In
http[s]:// page you can try to load a script cross-scheme from
chrome-extension:// URL,
in this case - the manifest file. You just need the addon unique id to put into URL. If the extension is installed, manifest will load and
onload event will fire. If not -
onerror event
is there for you.
Update: TIL the technique was already
published by
@albinowax.
Cool!
This is just one simple example of punching the separation layer between addons and webpages. There are more coming. Stay tuned.
