post message vulnerabilities in chrome
play

Post Message Vulnerabilities in Chrome By Alfred Zhong, Trevor - PowerPoint PPT Presentation

Jan 19, 2024 •514 likes •732 views

Post Message Vulnerabilities in Chrome By Alfred Zhong, Trevor Hornung Why use extensions? Extensions extend the functionality of the web browser. They usually serve a single purpose that is narrowly defined and easy to understand. Some of

  1. Post Message Vulnerabilities in Chrome By Alfred Zhong, Trevor Hornung

  2. Why use extensions? Extensions extend the functionality of the web browser. They usually serve a single purpose that is narrowly defined and easy to understand. Some of the more popular extensions, such as Ad Blockers, have 500+ million downloads.

  3. Same Origin Policy Web page can access data belonging to a second web page if they both ● belong to the same “origin” All fields must match to be considered the same origin ● URI Scheme ○ Hostname ○ Port number ○

  4. PostMessage Mechanism PostMessage relaxes the constraints of the same origin policy by allowing ● scripts from different origins to communicate. This is usually secure if done properly . ● PostMessage is used in both webpages and extensions ●

  5. Origin Checks Allows a script to communicate with other scripts with a specified origin. ● The script ignores postMessages which do not pass the origin check. Hard to spoof an origin ● Security vulnerability if there is an insecure origin check ●

  6. Breaking Origin Checks Examples from “The Postman Always Rings Twice” by Son and Shmatikov ●

  7. Possible Consequences Arbitrary messages could be sent to the extension ● The extension could be disabled or altered ○ Any data the extension has could be stolen ○ Anything the extension has permission to do could be done ○

  8. Attack Scenario - (Toy Exploit) Imagine you have an extension installed which has permission to look ● through your web browsing history. The extension also, for some reason, sends this history data to its parent website through a postMessage mechanism. That postMessage has a vulnerable origin check. ● A malicious website can steal the user’s history! ●

  9. Collecting Extensions Each Chrome extension has a unique ID ● Unfortunately, Google does not provide ● a master list of extension IDs. We had to write an extension which ● scrapes the ID information as we manually scrolled through the Chrome Web Store. (Probably would have been better to ● automate this through Selenium) 7290 extensions collected ●

  10. Finding Origin Checks Find “addEventListener” call that is being used for messages ● Find an origin check ● Optionally: Find “postMessage” calls sending data out of the extension ●

  11. How many extensions are potentially vulnerable? String No successive With a successive postMessage send postMessage send .origin 669 30 .origin.indexOf 33 2 .origin.includes 2 0 .origin.match 16 1

  12. Exploit in the Wild https://chrome.google.com/webstore/detail/fair-adblocker/lgblnfidahcdcjddiepkckcfdhpknnjh

  13. Exploit in the Wild - Origin Check if( !event.origin.match (/^http(s)?:\/\/(.*\.)?(localhost|lgblnfidahcdcjddiepkckcfdhpknnjh|lngjmaohjfjl mbggeodkgpokfbdemejg|standsapp.org|stndz.com)(:\d*)?/i)) return; Example origins that bypass this check: http://espn.nfl.standsapp.org ● http://espn.nfl.localhost.com ● http://XXXXXXXXX.localhost.com ● http://XXXXXXXXX.localhost.XXXXXXXXX.com ● http://espn.nfl.standsapp.org.XXXXXXXX.XXXXXXXXX.com ● https://cs.utexas.localhost.edu ● https://cs.utexas-idcheck.lgblnfidahcdcjddiepkckcfdhpknnjh.edu ●

  14. Exploit in the Wild This code is available after the origin check bypass. It sends back the user’s name and email address if it is set in the extension.

  15. Exploit in the Wild This code is also available after the origin check bypass. It sends information including the “active tab” of the user. If the user keeps our malicious website open in the background, we can get a trace of what websites our user visits, potentially allowing for fingerprinting as well as theft of sensitive URLs. We can also see what websites are whitelisted.

  16. Exploit in the Wild Demonstration http://cs.utexas.edu/~alfred

  17. Are we too late?

  18. Mitigation Techniques For extension makers: Make secure origin checks! ● .match, .indexOf, … are NOT secure. ○ Only use postMessage when absolutely necessary ● Avoid running scripts anywhere that interacts with outside messages ● Obfuscation makes our lives difficult ● For web users: Any permissions that an extension asks for can potentially be exploited ●

  19. Conclusion Vulnerable postMessage origin checks exist in browser extensions ● These checks can be subverted ● Vulnerable extensions can be exploited ●

  20. Future Work Firefox ● Dynamic checking for more robust postMessage checks ● Online tool that breaks origin checks ●

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

5. Note two things, the box now says, Added to Chrome. Notice the Blue box with an S (for Snagit)

5. Note two things, the box now says, Added to Chrome. Notice the Blue box with an S (for Snagit)

Snagit for Google Chrome: Instructions IMPORTANT. You will need to be in Chrome and Not on Chrome for this app to work. (go to Chrome first, then go to whatever site you plan to screencast.) 1. Open Chrome, Type in Snagit for Chrome.

184 views • 3 slides
Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications Daniele Gallingani, Rigel Gjomemo , V.N. Venkatakrishnan, Stefano Zanero Android Message Passing Mechanism Android apps are composed of

566 views • 23 slides
Running Android in a Container How the play store runs on Chrome OS How Android Runs On Chrome

Running Android in a Container How the play store runs on Chrome OS How Android Runs On Chrome

Running Android in a Container How the play store runs on Chrome OS How Android Runs On Chrome OS Chrome Graphics Buffer (Prime FD) Android IPC IPC Chrome IPC Binder System Bridge Bridge (*/init*) Input Events network config, GL,

296 views • 10 slides
Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications Daniele Gallingani Rigel Gjomemo, V.N. Venkatakrishnan Stefano Zanero University of Illinois at Chicago University of Illinois at Chicago

419 views • 11 slides
Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of

Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of

Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of W3Counter 2 Courtesy of W3Counter 3 Chrome has ~190,000 Google Chrome extensions released 2010 2020 2008 2019 Chrome adds Chrome removes

1.07k views • 105 slides
A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome OS Speed Security - Verified boot Security - Reboot to recover Security for the internet age Current Operating Systems Chrome OS Apps have

424 views • 8 slides
Hex Chrome Exposures from Hex Chrome Exposures from Metal Cladding Work in a Boiler O t b

Hex Chrome Exposures from Hex Chrome Exposures from Metal Cladding Work in a Boiler O t b

Hex Chrome Exposures from Hex Chrome Exposures from Metal Cladding Work in a Boiler O t b October 2012 2012 Luminant Corporate Safety David Friedman, CIH, MSPH, ARM Background Information Situation occurred at a lignite plant in Central

495 views • 25 slides
Introduction Presenter: Jienan Liu Network, Intelligence & security Lab What is Chrome

Introduction Presenter: Jienan Liu Network, Intelligence & security Lab What is Chrome

Chrome Extension Introduction Presenter: Jienan Liu Network, Intelligence & security Lab What is Chrome Extension Extension Small software programs that can modify and enhance the functionality of the Chrome browser. Written

576 views • 18 slides
Chrome OS Internals Josh Triplett josh@joshtriplett.org LinuxCon Europe 2014 Josh Triplett

Chrome OS Internals Josh Triplett josh@joshtriplett.org LinuxCon Europe 2014 Josh Triplett

Chrome OS Internals Josh Triplett josh@joshtriplett.org LinuxCon Europe 2014 Josh Triplett Chrome OS Internals LinuxCon Europe 2014 1 / 43 Overview Intro to Chrome OS Architecture of Chrome OS Verified boot and developer mode Security

1.39k views • 110 slides
Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila & Boris Kpf IMDEA

Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila & Boris Kpf IMDEA

Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila & Boris Kpf IMDEA Software Institute About me Im Pepe @cgvwzq http://vwzq.net/ Some notes about Chrome Chrome was a blackbox for me. Its code base is immense.

622 views • 38 slides
1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

Message Authentication CPE 542: CRYPTOGRAPHY & NETWORK SECURITY message authentication is concerned with: protecting the integrity of a message Chapter 11 Message Authentication and validating identity of originator Hash

462 views • 6 slides
Fuzzing Low-Level Code Mathias Payer <mathias.payer@epfl.ch> https://hexhive.github.io 1

Fuzzing Low-Level Code Mathias Payer <mathias.payer@epfl.ch> https://hexhive.github.io 1

Fuzzing Low-Level Code Mathias Payer <mathias.payer@epfl.ch> https://hexhive.github.io 1 HexHive is hiring! 2 Challenge: vulnerabilities everywhere 3 Challenge: software complexity Google Chrome: 76 MLoC Chrome and OS ~100 mLoC, 27

725 views • 35 slides
a C h r o m e b o o k t o o Maksim Lin Freelance Android & Chrome App Developer

a C h r o m e b o o k t o o Maksim Lin Freelance Android & Chrome App Developer

Oh the things you could do if you had a C h r o m e b o o k t o o Maksim Lin Freelance Android & Chrome App Developer www.manichord.com So what are Chromebooks, ChromeOS And Chrome (Packaged) Apps? Chromebooks (and

612 views • 28 slides
Clear Chrome Browsing Data 1. Click on the 3 dots on the Chrome Browser and select Settings 2.

Clear Chrome Browsing Data 1. Click on the 3 dots on the Chrome Browser and select Settings 2.

Clear Chrome Browsing Data 1. Click on the 3 dots on the Chrome Browser and select Settings 2. Scroll down to Privacy and security and click on Clear browsing data 3. Select the time frame, then Clear data Google Meet Grid View Issues If you are

297 views • 10 slides
NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
Training Manual Google Docs and the Chrome browser work great together! If you do not have the

Training Manual Google Docs and the Chrome browser work great together! If you do not have the

Freehold Borough Schools Technology Department Training Manual Google Docs and the Chrome browser work great together! If you do not have the Chrome browser on your laptop, please put in a helpdesk ticket. Go to the district website

575 views • 18 slides
A N N U A L R E S U LT S for the year ended 30 September 2017 DISCLAIMER These Presentation

A N N U A L R E S U LT S for the year ended 30 September 2017 DISCLAIMER These Presentation

A N N U A L R E S U LT S for the year ended 30 September 2017 DISCLAIMER These Presentation Materials are for information purposes only and must not be used or relied upon for the purpose of making any investment decision or engaging in any

484 views • 26 slides
A WEEK TO REMEMBER THE IMPACT OF BROWSER WARNING STORAGE POLICIES JOEL WEINBERGER & ADRIENNE

A WEEK TO REMEMBER THE IMPACT OF BROWSER WARNING STORAGE POLICIES JOEL WEINBERGER & ADRIENNE

A WEEK TO REMEMBER THE IMPACT OF BROWSER WARNING STORAGE POLICIES JOEL WEINBERGER & ADRIENNE PORTER FELT When someone clicks through an HTTPS warning, how long should the browser store that decision for? WHY DO WE CARE? REAL FALSE

650 views • 39 slides
Schoogle 21st Century Learning Spaces How Google Chrome is becoming a platform for instruction

Schoogle 21st Century Learning Spaces How Google Chrome is becoming a platform for instruction

Schoogle 21st Century Learning Spaces How Google Chrome is becoming a platform for instruction Chrome & Chromebooks Montgomery County Public Schools 2014-2016 Strategic Technology Plan The 21st Century Learning Spaces initiative focuses

246 views • 9 slides
INTERIM RESULTS FOR THE SIX MONTHS ENDED 31 MARCH 2018 DISCLAIMER These Presentation Materials

INTERIM RESULTS FOR THE SIX MONTHS ENDED 31 MARCH 2018 DISCLAIMER These Presentation Materials

INTERIM RESULTS FOR THE SIX MONTHS ENDED 31 MARCH 2018 DISCLAIMER These Presentation Materials are for information purposes only and must not be used or relied upon for the purpose of making any investment decision or engaging in any investment

562 views • 39 slides
(c) 2016 Fabbian USA Corp. (c) 2015 Fabbian USA Corp. (c) 2015 Fabbian USA Corp. (c) 2015

(c) 2016 Fabbian USA Corp. (c) 2015 Fabbian USA Corp. (c) 2015 Fabbian USA Corp. (c) 2015

(c) 2016 Fabbian USA Corp. (c) 2015 Fabbian USA Corp. (c) 2015 Fabbian USA Corp. (c) 2015 Fabbian USA Corp. (c) 2015 Fabbian USA Corp. (c) 2015 Fabbian USA Corp. (c) 2016 Fabbian USA Corp. (c) 2017 Fabbian USA Corp. (c) 2017 Fabbian USA

513 views • 35 slides
EVALUATING WINDOWS 10: LEARN WHY YOUR USERS NEED GPU ACCELERATION Erik Bohnhorst, Manager,

EVALUATING WINDOWS 10: LEARN WHY YOUR USERS NEED GPU ACCELERATION Erik Bohnhorst, Manager,

EVALUATING WINDOWS 10: LEARN WHY YOUR USERS NEED GPU ACCELERATION Erik Bohnhorst, Manager, ProViz Performance Engineering, NVIDIA Nachiket Karmarkar, Senior Performance Engineer, NVIDIA WINDOWS 10 VDI USER TESTING CPU only vs GPU-Accelerated

397 views • 26 slides
Financ ance T Traini ning ng Wednesday, February 13 th , 2019 Faculty Club Agenda Welcome

Financ ance T Traini ning ng Wednesday, February 13 th , 2019 Faculty Club Agenda Welcome

Financ ance T Traini ning ng Wednesday, February 13 th , 2019 Faculty Club Agenda Welcome and Introductions Finance Overview Chrome River General Information Travel and Invoices PCard Cash

687 views • 30 slides
The Gen Generati tion a n and U Use e of TLS F Fingerprints ts Blake Anderson, PhD; David

The Gen Generati tion a n and U Use e of TLS F Fingerprints ts Blake Anderson, PhD; David

The Gen Generati tion a n and U Use e of TLS F Fingerprints ts Blake Anderson, PhD; David McGrew, PhD; Keith Schomburg Cisco Reducing the Visibility Gap ? ? VM TLS Fingerprinting Overview TLS parameters offered in the ClientHello

667 views • 24 slides

More recommend