Post Message Vulnerabilities in Chrome By Alfred Zhong, Trevor - - PowerPoint PPT Presentation

post message vulnerabilities in chrome
SMART_READER_LITE
LIVE PREVIEW

Post Message Vulnerabilities in Chrome By Alfred Zhong, Trevor - - PowerPoint PPT Presentation

Jan 19, 2024 514 likes •733 views

Post Message Vulnerabilities in Chrome By Alfred Zhong, Trevor Hornung Why use extensions? Extensions extend the functionality of the web browser. They usually serve a single purpose that is narrowly defined and easy to understand. Some of

slide-1
SLIDE 1

Post Message Vulnerabilities in Chrome

By Alfred Zhong, Trevor Hornung

slide-2
SLIDE 2

Why use extensions?

Extensions extend the functionality of the web browser. They usually serve a single purpose that is narrowly defined and easy to understand. Some of the more popular extensions, such as Ad Blockers, have 500+ million downloads.

slide-3
SLIDE 3

Same Origin Policy

  • Web page can access data belonging to a second web page if they both

belong to the same “origin”

  • All fields must match to be considered the same origin

○ URI Scheme ○ Hostname ○ Port number

slide-4
SLIDE 4

PostMessage Mechanism

  • PostMessage relaxes the constraints of the same origin policy by allowing

scripts from different origins to communicate.

  • This is usually secure if done properly.
  • PostMessage is used in both webpages and extensions
slide-5
SLIDE 5

Origin Checks

  • Allows a script to communicate with other scripts with a specified origin.

The script ignores postMessages which do not pass the origin check.

  • Hard to spoof an origin
  • Security vulnerability if there is an insecure origin check
slide-6
SLIDE 6

Breaking Origin Checks

  • Examples from “The Postman Always Rings Twice” by Son and Shmatikov
slide-7
SLIDE 7

Possible Consequences

  • Arbitrary messages could be sent to the extension

○ The extension could be disabled or altered ○ Any data the extension has could be stolen ○ Anything the extension has permission to do could be done

slide-8
SLIDE 8

Attack Scenario - (Toy Exploit)

  • Imagine you have an extension installed which has permission to look

through your web browsing history. The extension also, for some reason, sends this history data to its parent website through a postMessage mechanism.

  • That postMessage has a vulnerable origin check.
  • A malicious website can steal the user’s history!
slide-9
SLIDE 9

Collecting Extensions

  • Each Chrome extension has a unique ID
  • Unfortunately, Google does not provide

a master list of extension IDs.

  • We had to write an extension which

scrapes the ID information as we manually scrolled through the Chrome Web Store.

  • (Probably would have been better to

automate this through Selenium)

  • 7290 extensions collected
slide-10
SLIDE 10

Finding Origin Checks

  • Find “addEventListener” call that is being used for messages
  • Find an origin check
  • Optionally: Find “postMessage” calls sending data out of the extension
slide-11
SLIDE 11

How many extensions are potentially vulnerable?

String No successive postMessage send With a successive postMessage send .origin 669 30 .origin.indexOf 33 2 .origin.includes 2 .origin.match 16 1

slide-12
SLIDE 12

Exploit in the Wild

https://chrome.google.com/webstore/detail/fair-adblocker/lgblnfidahcdcjddiepkckcfdhpknnjh

slide-13
SLIDE 13

Exploit in the Wild - Origin Check

if(!event.origin.match(/^http(s)?:\/\/(.*\.)?(localhost|lgblnfidahcdcjddiepkckcfdhpknnjh|lngjmaohjfjl mbggeodkgpokfbdemejg|standsapp.org|stndz.com)(:\d*)?/i)) return; Example origins that bypass this check:

  • http://espn.nfl.standsapp.org
  • http://espn.nfl.localhost.com
  • http://XXXXXXXXX.localhost.com
  • http://XXXXXXXXX.localhost.XXXXXXXXX.com
  • http://espn.nfl.standsapp.org.XXXXXXXX.XXXXXXXXX.com
  • https://cs.utexas.localhost.edu
  • https://cs.utexas-idcheck.lgblnfidahcdcjddiepkckcfdhpknnjh.edu
slide-14
SLIDE 14

Exploit in the Wild

This code is available after the origin check bypass. It sends back the user’s name and email address if it is set in the extension.

slide-15
SLIDE 15

Exploit in the Wild

This code is also available after the origin check bypass. It sends information including the “active tab” of the user. If the user keeps our malicious website

  • pen in the background, we can get a trace of what websites our user visits,

potentially allowing for fingerprinting as well as theft of sensitive URLs. We can also see what websites are whitelisted.

slide-16
SLIDE 16

Exploit in the Wild Demonstration

http://cs.utexas.edu/~alfred

slide-17
SLIDE 17

Are we too late?

slide-18
SLIDE 18

Mitigation Techniques

For extension makers:

  • Make secure origin checks!

○ .match, .indexOf, … are NOT secure.

  • Only use postMessage when absolutely necessary
  • Avoid running scripts anywhere that interacts with outside messages
  • Obfuscation makes our lives difficult

For web users:

  • Any permissions that an extension asks for can potentially be exploited
slide-19
SLIDE 19

Conclusion

  • Vulnerable postMessage origin checks exist in browser extensions
  • These checks can be subverted
  • Vulnerable extensions can be exploited
slide-20
SLIDE 20

Future Work

  • Firefox
  • Dynamic checking for more robust postMessage checks
  • Online tool that breaks origin checks