Andrea Grech, a programmer claims that he wrote a plugin / extension that could steal login IDs and passwords of the users who installed it. He will receive their facebook and twitter passwords and IDs in an email from the plugin.
In his own words, The Google Chrome browser allows the installation of third-party extensions that are used to extend the browser to add new features. The extensions are written in JavaScript and HTML and allow manipulation of the DOM, amongst other features.
By allowing access to the DOM, an attacker can thus read form fields…including username and password fields. This is what sparked my idea of creating this PoC.
The extension I present here is very simple. Whenever a user submits a form, it tries to capture the username and password fields, sends me an email via an Ajax call to a script with these login details along with the url and then proceeds to submit the form normally as to avoid detection.
This simple procedure has been successful against Gmail, Facebook, Twitter and other major websites.
Update From The Original Blogger : This is not just Google Chrome, and…
Some have also commented as regards me demonstrating this on Google Chrome. Yes, other browsers can also be ‘vulnerable’ to this technique but I chose to try this on Google Chrome because it has apparently been dubbed as ‘the safest browser available’, and I’m not denying that. I wanted to make users aware that although Google Chrome is, undoubtedly, a safe browser to use, they should still be careful about what they install on their browsers and not blindly trust anything.
With more and more people reaching the web through Google Chrome, hackers and spammers have started targeting Google Chrome too. Google Chrome have been proved as the most secure browser. Now, they are trying to hack you through extension system, or faking itself as a extension.
Malwarecity.com reports a new trojan that fakes itself as a Google Chrome extension. “The story is simple: Google Chrome users receive an unsolicited e-mail which announces that a new extension of their favorite browser has been developed to facilitate their access to documents from e-mails”. they wrote.
How to Identify
If you have noticed, Google Chrome extensions are always .crx files. And this trojan, is a .exe file. So,be careful with anything that calls itself a chrome extension and is not .crx file.
What It Does
It modifies the Windows HOSTS file in an attempt to block access to Google and Yahoo webpages. Every time users want to access them and write “google.[xxx]” or “[xx].search.yahoo.com” in the web browser, they will be redirected to another IP: 89.149.xxx.xxx . This allows the malware creators to intercept the victims’ calls to reach the respective sites.
The Ultimate Solution
It’s simple ! Install extensions only from Google’s Official Extensions gallery.
Pwn2Own 2010 is over and the winner is – Google Chrome – Safari was the first to fall, followed by Internet Explorer 8 on Windows 7. Firefox on Windows 7 x64 was also taken down, as was the iPhone’s mobile Safari.
Pwn2Own is, if you do not know, an yearly event were security experts compete to hack browsers and win prizes.
Charlie Miller a security expert hacked into a fully patched MacBook computer by exploiting a security vulnerability in Apple’s Safari browser to win the top price $10,000 top prize. He also got to keep the MacBook machine.
“It took a couple of seconds. They clicked on the link and I took control of the machine,” Miller said moments after his accomplishment.
Do you want to know he had to say about chrome ?
“There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. They’ve got that sandbox model that’s hard to get out of. With Chrome, it’s a combination of things – you can’t execute on the heap, the OS protections in Windows and the Sandbox.”
Google Chrome’s translation feature uses the Google Translate technology. It works across 52 languages and can automatically detect and translate entire websites in less than a second.
However, without proper controls to disable this feature, it may annoy many users.
Content Privacy
In Chrome, the language detection takes place in the browser, not on Google servers. If the page isn’t in a language you know, Chrome offers to translate it for you by sending it through Google Translate.
Now, there’s a set of “Content Settings” options that let you manage how browser cookies, images, JavaScript, plug-ins, and pop-ups are handled on a site-by-site basis. For example, you can block all cookies except for the ones from sites you trust.
Google also implemented a new approach to Google Update technology, which allows them to remove the unique ID from Google Update while still preserving their ability to determine the number of active users and keep everyone up-to-date with the latest security updates and speed improvements.
Soon after Google launched the new beta version with translation bar and content security settings, Google System, a popular blog, came out with a cool article “10 Ways to Use Google Chrome’s Content Settings”.
It’s a useful and interesting article explaining how to use chrome’s new content settings to control what and reaches your computer and what not, through Chrome.
They have explained how to block images totally, block images from a particular website, or block cookies from websites etc. Check it out !
