Hacker News new | ask | show | jobs
by rckoepke 1170 days ago
Chrome has a browser extension API which allows plugins to access all cookies, but its use is considered suspicious and a red flag; an extension which uses it would generally get caught during initial review. However, Chrome extensions are also allowed to “hotload” portions of their own code/scripts from external 3rd party servers.

So an extension will seem benign when it initially gets checked by Google as part of becoming part of its submission to the Chrome Store. Then, later, the external “3rd party” script that is hosted remotely will get replaced with a different, malicious script. The malicious extension carries on stealing cookies, credentials, and fingerprints until someone reverse engineers it and reports it to Google.

Google will not always recognize the issue immediately because the 3rd-party malicious code is not strictly “part of” the extension so there’s a bit of a song and dance while the person who reversed it convinces Googles reviewers that “yes, this really is actually malicious, you need to analyze the third party code that loads later” and then Google eventually takes it down after a semi-involved back-and-forth where extensive documentation and video walk-throughs are provided by the exasperated white-hat Good Samaritan.
2 comments
TedDoesntTalk 1170 days ago
Remote loading of code has been banned by Google and Mozilla for several years now. The automated review tools pick up script injection and eval() calls. Unless you can craft something unique, you’re not going to get past the automated review.

I’m guessing the malware is something else besides a browser extension.

link
asddubs 1169 days ago
stuff like setTimeout accepts strings too. I wonder how good those scanners are at detecting overwriting an initial innocent function that's later called in a timeout with a string, it can get fairly indirect

    let harmless = { func : function() { }, harmlessExternallyLoadedString : '' };
    let toAccess = 'func';
    //do stuff that seems legit
    if(true) {
        let toAccess = 'harmlessExternallyLoadedString';
    }
    harmless[toAccess] = 'alert(1);'; //imagine this being a fetch request
    //later on
    setTimeout(harmless.func, 1);
now imagine the logic for what othervar is set to is obfuscated a bit by a more complex logic tree, and the example was a bit less contrived.
link
LelouBil 1170 days ago
Seems like you speak from experience.

Do you have any specifics to share ?

link