Last week, a security researcher published a proof-of-concept Chrome extension that turns Chrome browsers into proxy bots, allowing hackers to navigate the web using an infected user’s identity.
The tool, named CursedChrome, was created by security researcher Matthew Bryant, and released on GitHub as an open-source project.
Under the hood, CursedChrome has two different parts — a client-side component (the Chrome extension itself) and a server-side counterpart (a control panel where all CursedChrome bots report).
Image: Matthew Bryant
Once the extension has been installed on a few browsers, the attacker can log into the CursedChrome control panel and establish a connection to each infected host.
The link between the extension and the control panel is a simple WebSocket connection that works as a classic HTTP reverse proxy.
This means that once the attacker has connected to an infected host, they can then navigate the web using the infected browser, and by doing so, hijack logged-in sessions and online identities to access forbidden areas, such as intranets or enterprise apps.
Image: Matthew Bryant
A project like CursedChrome is an attacker’s ideal tool.
This is why the extension’s release has been accompanied by quite a few rumblings from the cyber-security community, who claimed that releasing something like CursedChrome does nothing but lower the entry bar for attackers to develop their own malicious CursedChrome versions in the future.
CursedChrome was created as a pen-tester’s tool
However, in an email interview with ZDNet last week, Bryant said this wasn’t his intention at all.
“I open-sourced the code because I want other professional red teamers and pen-testers to be able to accurately simulate the ‘malicious browser-extension’ scenario,” Bryant told us.
By red teamers, the researcher is referring to cyber-security professionals who get paid to break into companies. Their work is crucial, as they file reports on what they find, so companies can correct issues and keep hackers out.
“Open-sourcing tooling is important for red teams for the same reasons as any other job: it saves time for the teams at different companies from having to rewrite everything whenever they do a red team or pentest. It’s actually doubly important for us because pen-testers and red teamers work on extremely tight timelines,” Bryant said.
The researcher also told ZDNet that CursedChrome is nothing that an attacker couldn’t have built themselves. The project works on already-existing technologies and doesn’t bring any innovation to the table.
“Similar tools such as Cobalt Strike’s ‘browser pivot’ (for Internet Explorer) and the open-source BeEF framework have existed for years, and the technical details of how to perform this attack are freely available online,” Bryant said.
Furthermore, Bryant isn’t afraid that hackers might use his code. Weaponizing CursedChrome requires that attackers either (1) host the extension on the Chrome Web Store or (2) install it via an enterprise policy or via Chrome’s developer mode.
Bryant says that the first scenario won’t likely work since “the Web Store’s extension review pipeline […] is extremely effective at keeping out potentially malicious extensions,” while the second scenario requires the attacker have access to a company’s network, by which point they already have full control and access to everything else anyway.
Researcher wants to raise awareness. Also has a fix.
Instead, the researcher said he wants to raise awareness on the topic of malicious Chrome extensions and the damage they can do in enterprise environments.
Nowadays, as most companies use more and more web-based tools, browser extensions are more important than ever. An employee who ignores company rules and installs a malicious extension can create a hole in their company’s defenses, allowing hackers to bypass firewalls or VPN filters.
“It’s […] important to raise awareness of just what level of access you’re granting when you install a random extension for your browser,” Bryant told ZDNet.
The researcher says that by using something like CursedChrome, pen-testers can show companies exactly how vulnerable they truly are when they don’t strictly control what employees can install in their browsers.
But Bryant isn’t the type to point the finger at a problem and make some noise. Besides providing the pen-testing tool, the researcher has also provided the solution in the form a second project that he also open-sourced on GitHub.
Named Chrome Galvanizer, this is a web-based tool that generates enterprise policies that can be installed on all of a company’s workstations.
IT admins can use Chrome Galvanizer to allow or block Chrome extensions from accessing certain URLs and the data associated with it.
This way, even if the user installs a malicious Chrome extension, the extension can’t steal data associated with certain sites, such as intranets and enterprise apps.
Furthermore, since these are “policies,” they work at the OS level, and not the browser level, so the extension cannot bypass these rules in any way or form.
Image: Matthew Bryant
While the information security (infosec) community might react negatively to “offensive hacking tools” being released once in a while, Bryant says they have their roles.
This includes tools like Modlishka, Facebook’s Weasel, Metasploit, and more.
“A real-world example of this is another tool I wrote for finding blind cross-site scripting (XSS) vulnerabilities called XSS Hunter,” Bryant said.
“Before I released the tool and made it easy-to-use and generally-available, most people I talked to didn’t even believe that blind XSS was a real concern. I’d hear things like ‘I’m sure that theoretically could happen, but I’ve never seen it’ and ‘I don’t think it’s actually exploitable’.
“These opinions were, of course, because nobody was looking for it, so nobody was finding it. Once I released the service and tooling, security researchers started finding and reporting blind XSS all over the place. Today, it’s something that everyone believes is a serious problem to look out for and the awareness of the issue has led to tons of critical bugs being fixed.”
Now, Bryant hopes that both CursedChrome and Chrome Galvanizer catch on with the community and help companies secure their computer fleets against malicious Chrome extensions.