Has Google failed to protect its Chrome browser?
- A few days ago, Reuters reported a “newly discovered spyware effort” targetting users of Google’s browser Chrome.
- The spyware, it said, has been pushed through at least 111 malicious or fake Chrome browser extensions, which have been downloaded some 32 million times.
(Browser extensions are add-ons that provide additional capabilities to the user.)
- The report also said Google had taken off more than 70 extensions from its official Web Store last month after being alerted to their malicious nature by researchers at Awake Security.
How do these malicious extensions get in to the Chrome store in the first place?
Short answer: they seem harmless, to being with.
- According to the report by Awake Security, which brought this issue to light, these “sleeper agent extensions” appear to do nothing in the beginning.
- The “malicious payloads” are only pushed on to the extensions much after the “clean” versions have been approved.
What do the malicious extensions do?
- They can take “screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords),” says the report.
How has Google reacted to this?
- As mentioned above, Google has recently removed the malicious extensions.
It has been mentioned that some of the fake extensions were never in the Chrome Web Store. How were they made to work then?
- This is due to the misuse of an open-source browser project, Chromium — installing it can lead to malicious add-ons.
- This works as a rogue browser when users unwittingly give it the okay to run when prompted.
Are browser extensions a vulnerability?
- A significant part of what we do on the computer these days is via the browser.
- Also, the research report points out that it has been a challenge for security solutions to spot malicious activity that is happening within the browser.
- The Awake Security report says, “Rogue access to the browser therefore frequently means rogue access to the ‘keys to the kingdom’ — from email and corporate file sharing to customer relationship management and financial databases.”
How are users fooled?
- Watch out for prompts that urge you to make a new browser as default.
- The security firm has also documented some standard characteristics of malicious campaigns. For starters, some of these malicious players have professional-looking web sites that peddle false promises. An example recorded is that of a security extension that certifies a page with malicious content as secure.
Identifiers of a malicious web extensions
- Security experts can visually figure out if an extension is malicious or fake, says the Awake Security report, listing out the following easy identifiers:
- These extensions, for an unknown brand and little information, have a huge following; the user reviews are always great; these extensions have a huge following despite being relatively new in the market.
What other vulnerability has this finding revealed?
- The Awake Security report ends with a question mark on the conduct and practices of a small Israel-based domain registrar called Galcomm, formally known as CommuniGal Communication Ltd according to Reuters.
- Its report says 60% of its domains are high risk for organisations.
- These malicious domains have managed to evade categorisation as unsafe because their actions depend on where the client is connecting to it from.
- They act maliciously only if the client connects from a broadband or cable network.
- They act benignly if the request comes from a data centre or virtual private network.
- It says, “This registrar, who also maintains a Registrar Accreditation Agreement with ICANN (The Internet Corporation for Assigned Names and Numbers), is responsible for putting far more malicious domains, malware, and exploitative content on the internet than legitimate content.
- We believe the research and analysis summarized in this report proves that Galcomm is at best complicit in malicious activity.”
- The bigger issue raised by the report is one of lack of oversight by ICANN, which oversees domain name standards.
- A domain name registrar is a business that handles the reservation of domain names as well as the assignment of IP addresses for those domain names.
- Domain names are alphanumeric aliases used to access websites; for example Google's domain name is 'google.com' and their IP address is 192.168. 1.1.
What has been Galcomm’s response?
- Reuters reported that Galcomm owner Moshe Fogel has denied any wrong-doing.