When your browser extensions go rouge…
Posted by jpluimers on 2016/11/21
A while ago I suspected at least one of my Chrome extensions to do funny things.
In the end it appeared that “Live HTTP Headers 1.0.8” went rogue a while ago and has by now been removed from the store as this link is gone: https://chrome.google.com/webstore/detail/iaiioopjkcekapmldfgbebdclcnpgnlo ()
It was part of a much larger set of extensions that went away and isn’t limited to Chrome: other browsers with extension mechanisms suffer from this too. More links about this at the bottom of this post.
Which means that by now you should be really careful which extensions you have installed and enabled.
So, browse through these and ensure you’ve disabled everything you don’t need permanently:
On my system, I removed these:
- “Live HTTP Headers 1.0.8” used to be at https://chrome.google.com/webstore/detail/iaiioopjkcekapmldfgbebdclcnpgnlo
- This extension contains malware.
- “JSONView 0.0.32.2” used to be at https://chrome.google.com/webstore/detail/chklaanhfefbnpoihckbnefhakgolnmc
- This extension contains a serious security vulnerability.
- “Read Later Fast 1.6.18” used to be at https://chrome.google.com/webstore/detail/decdfngdidijkdjgbknlnepdljfaepji
- This extension violates the Chrome Web Store policy.
When you go from Chrome to these URLs through the extensions page, it usually appends an UTM tracker like utm_source to the URL.
So I dug into that as well and found these links explaining them:
- [WayBack] What Is “UTM_Source” And Should You Be Worried? – Make Tech Easier
- [WayBack] Understanding utm_source, utm_medium and utm_campaign | ByteFive Internet Marketing and Publishing
- [WayBack] How I use utm_source, utm_medium, utm_campaign from Google Analytics | Davin’s blog
References:
- [WayBack] When Browser Extensions Go Rogue – Browser extensions offer direct access to our browser and all sites visited. What happens when they are hijacked for nefarious purposes?
- [WayBack] “Live HTTP Headers” extension hijacked : chrome
- [WayBack] Live HTTP Header malware domains – Pastebin.com
- [WayBack] Eric Capuano on Twitter: “Heads up! If you have the Live HTTP Headers extension in Chrome, remove it immediately! Just caught it doing some shady shit. More to come.”
- [WayBack] Scott Helme on Twitter: “Had a look through my CSP reports on @reporturi after recent news of browser extensions going rogue, *lots* of people saved by CSP!”
- [WayBack] FYI: “Tab Manager” extension’s new owners have added tracking (malware) : chrome
- [WayBack] malaさんのツイート: “https://t.co/01C8PVMRQY でアーカイブされていたインストール数のTOP5000のChrome拡張から調査19000+users、マルウェア嫌疑があるもの(CoolBar Proと同様の難読化)が36件 既に消えているものが21件で残っているものが 15件”
- [WayBack] Chrome ExtensionのLive HTTP Headersの調査(CoolBar.Pro導入 Extensionが何を行うかの調査) · GitHub
- [WayBack] Investigation into the Live HTTP Headers Chrome Extension (Introduced by CoolBar.Pro – An investigation into what the extension is actually doing)
- Chrome Extensions Archive
What helps is Content Security Policy (CSP):
- [WayBack] Chrome 18+: How to allow inline scripting with a Content Security Policy? – Stack Overflow
- [WayBack] Content Security Policy (CSP) – Google Chrome – Extensions
- [WayBack] Content Security Policy – Google Chrome – Apps
- [WayBack] An Introduction to Content Security Policy – HTML5 Rocks
- [WayBack] Content Security Policy | Web | Google Developers
- [WayBack] javascript – How to set Content Security Policy in Chrome Extension Manifest.json in order for Firebase to work – Stack Overflow
–jeroen
The Wiert Corner - irregular stream of stuff 
Lance E Sloan said
“Rouge”, as in the color or cosmetics? 😉
jpluimers said
As now being “red” on the blacklist (:
Lance E Sloan said
“Rouge”, as in the color or cosmetics? 😉