Post Message Vulnerabilities in Chrome By Alfred Zhong, Trevor Hornung
Why use extensions? Extensions extend the functionality of the web browser. They usually serve a single purpose that is narrowly defined and easy to understand. Some of the more popular extensions, such as Ad Blockers, have 500+ million downloads.
Same Origin Policy Web page can access data belonging to a second web page if they both ● belong to the same “origin” All fields must match to be considered the same origin ● URI Scheme ○ Hostname ○ Port number ○
PostMessage Mechanism PostMessage relaxes the constraints of the same origin policy by allowing ● scripts from different origins to communicate. This is usually secure if done properly . ● PostMessage is used in both webpages and extensions ●
Origin Checks Allows a script to communicate with other scripts with a specified origin. ● The script ignores postMessages which do not pass the origin check. Hard to spoof an origin ● Security vulnerability if there is an insecure origin check ●
Breaking Origin Checks Examples from “The Postman Always Rings Twice” by Son and Shmatikov ●
Possible Consequences Arbitrary messages could be sent to the extension ● The extension could be disabled or altered ○ Any data the extension has could be stolen ○ Anything the extension has permission to do could be done ○
Attack Scenario - (Toy Exploit) Imagine you have an extension installed which has permission to look ● through your web browsing history. The extension also, for some reason, sends this history data to its parent website through a postMessage mechanism. That postMessage has a vulnerable origin check. ● A malicious website can steal the user’s history! ●
Collecting Extensions Each Chrome extension has a unique ID ● Unfortunately, Google does not provide ● a master list of extension IDs. We had to write an extension which ● scrapes the ID information as we manually scrolled through the Chrome Web Store. (Probably would have been better to ● automate this through Selenium) 7290 extensions collected ●
Finding Origin Checks Find “addEventListener” call that is being used for messages ● Find an origin check ● Optionally: Find “postMessage” calls sending data out of the extension ●
How many extensions are potentially vulnerable? String No successive With a successive postMessage send postMessage send .origin 669 30 .origin.indexOf 33 2 .origin.includes 2 0 .origin.match 16 1
Exploit in the Wild https://chrome.google.com/webstore/detail/fair-adblocker/lgblnfidahcdcjddiepkckcfdhpknnjh
Exploit in the Wild - Origin Check if( !event.origin.match (/^http(s)?:\/\/(.*\.)?(localhost|lgblnfidahcdcjddiepkckcfdhpknnjh|lngjmaohjfjl mbggeodkgpokfbdemejg|standsapp.org|stndz.com)(:\d*)?/i)) return; Example origins that bypass this check: http://espn.nfl.standsapp.org ● http://espn.nfl.localhost.com ● http://XXXXXXXXX.localhost.com ● http://XXXXXXXXX.localhost.XXXXXXXXX.com ● http://espn.nfl.standsapp.org.XXXXXXXX.XXXXXXXXX.com ● https://cs.utexas.localhost.edu ● https://cs.utexas-idcheck.lgblnfidahcdcjddiepkckcfdhpknnjh.edu ●
Exploit in the Wild This code is available after the origin check bypass. It sends back the user’s name and email address if it is set in the extension.
Exploit in the Wild This code is also available after the origin check bypass. It sends information including the “active tab” of the user. If the user keeps our malicious website open in the background, we can get a trace of what websites our user visits, potentially allowing for fingerprinting as well as theft of sensitive URLs. We can also see what websites are whitelisted.
Exploit in the Wild Demonstration http://cs.utexas.edu/~alfred
Are we too late?
Mitigation Techniques For extension makers: Make secure origin checks! ● .match, .indexOf, … are NOT secure. ○ Only use postMessage when absolutely necessary ● Avoid running scripts anywhere that interacts with outside messages ● Obfuscation makes our lives difficult ● For web users: Any permissions that an extension asks for can potentially be exploited ●
Conclusion Vulnerable postMessage origin checks exist in browser extensions ● These checks can be subverted ● Vulnerable extensions can be exploited ●
Future Work Firefox ● Dynamic checking for more robust postMessage checks ● Online tool that breaks origin checks ●
Recommend
More recommend