Hacking Google Chrome OS

Video thumbnail (Frame 0) Video thumbnail (Frame 1358) Video thumbnail (Frame 3419) Video thumbnail (Frame 5608) Video thumbnail (Frame 9925) Video thumbnail (Frame 11996) Video thumbnail (Frame 14403) Video thumbnail (Frame 16640) Video thumbnail (Frame 18662) Video thumbnail (Frame 21046) Video thumbnail (Frame 23709) Video thumbnail (Frame 26026) Video thumbnail (Frame 29858) Video thumbnail (Frame 33330) Video thumbnail (Frame 36498) Video thumbnail (Frame 38337) Video thumbnail (Frame 41140) Video thumbnail (Frame 42653) Video thumbnail (Frame 46467) Video thumbnail (Frame 52668) Video thumbnail (Frame 55332) Video thumbnail (Frame 56437) Video thumbnail (Frame 57509) Video thumbnail (Frame 59762) Video thumbnail (Frame 60684) Video thumbnail (Frame 66729)
Video in TIB AV-Portal: Hacking Google Chrome OS

Formal Metadata

Hacking Google Chrome OS
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Google recently announced Chrome OS powered computers, called Chromebooks, at Google I/O and the company is getting ready to market them to businesses as well as consumers. What's different about Chrome OS and Chromebooks, other than the entire user-experience taking place exclusively in a Web browser (Google Chrome), is everything takes place in the cloud. Email, document writing, calendaring, social networking - everything. From a security perspective this means that all website and Web browser attack techniques, such as like Cross-Site Scripting, Cross-Site Request, and Clickjacking, have the potential of circumventing Chrome OS's security protections and exposing all the users data. Two members of the WhiteHat Security's Threat Research Center, Matt Johansen and Kyle Osborn, have spent months hacking away on Google's Cr-48 prototype laptops. They discovered a slew of serious and fundamental security design flaws that with no more than a single mouse-click may victimize users by: * Exposing of all user email, contacts, and saved documents. * Conduct high speed scans their intranet work and revealing active host IP addresses. * Spoofing messaging in their Google Voice account. * Taking over their Google account by stealing session cookies, and in some case do the same on other visited domains. While Chrome OS and Chromebooks has some impressive and unique security features, they are not all encompassing. Google was informed of the findings, some vulnerabilities were addressed, bounties generously awarded, but many of the underlying weaknesses yet remain -- including for evil extensions to be easily made available in the WebStore, the ability for payloads to go viral, and javascript malware survive reboot. With the cloud and web-based operating systems poised to make an impact on our computing future, Matt and Kyle ready to share all their never-before-seen research through a series of on-stage demonstrations. Kyle 'Kos' Osborn is a web application security specialist at WhiteHat Security. He competes as a Red Team member in the West Coast Collegiate Cyber Defense Competition and has also done work for the US Cyber Challenge by building a CTF for three of the Cyber Camps. Mr. Osborn has also released Open Source security tools to the information security community, notably "Man Just Left of the Middle", which was featured in Dave Kennedy's Social Engineer Toolkit. He attended his first security conference at the age of 16 and was hooked. He firmly believes in sharing information and best practices throughout the security community to promote greater web security for all. He's a regular participants at conferences, including attending more than 20 security events in the last 4 years. Most recently was a featured speaker at Toorcon Seattle, where he spoke about embedded HTML engines in desktop applications. Hacker by day, hacking harder by night. Living in the danger zone. Matt Johanson is an application security specialist at WhiteHat Security where he oversees and assessments on more than 250 web applications for many Fortune 500 companies across a range of technologies such as PHP, .NET, Ruby on Rails, and Flash. He was previously a consultant for VerSprite, where he was responsible for performing network and web application penetration tests. Mr. Johansen is also a professor of Web Application Security at Adelphi University and San Jose State University. He recently was part of the cut-score panel for the SANS certification by the GIAC and is the 29th person worldwide to achieve this certification. He holds a Bachelor of Science in Computer Science from Adelphi University.
Computer Cartesian coordinate system Focus (optics) Web application Causality Internetworking Hacker (term) Googol Videoconferencing Forschungszentrum Rossendorf Information security Website Information security
Suite (music) Enterprise architecture Open source Virtual machine Control flow Product (business) Revision control Data management Graphical user interface Googol Website Information security Vulnerability (computing) Point cloud Vulnerability (computing) Service (economics) Pay television Beta function Projective plane Field extension Graphical user interface Computing platform Website Software testing Information security Laptop
Google Chrome Code Multiplication sign Web 2.0 Graphical user interface Different (Kate Ryan album) Analogy File system Cuboid Extension (kinesiology) Information security Personal identification number (Denmark) Vulnerability (computing) Point cloud Software developer Keyboard shortcut Shared memory Data storage device Web application Message passing Googol Process (computing) Order (biology) Hard disk drive Right angle Quicksort Laptop Purchasing Web page Functional (mathematics) Mobile app Mobile Web Virtual machine Web browser Computer icon Field extension Software Operating system Installation art Mobile Web Usability Cartesian coordinate system System call Web browser Graphical user interface Field extension Function (mathematics) Point cloud Musical ensemble HTTP cookie
Surface Server (computing) Functional (mathematics) Real number Virtual machine Web browser Product (business) Web 2.0 Web service Field extension Hacker (term) Googol Extension (kinesiology) Information security Vulnerability (computing) World Wide Web Consortium Netbook Touchscreen Block (periodic table) Data storage device Graphical user interface Synchronization Website Right angle Information security Hacker (term) Extension (kinesiology)
Point (geometry) Greatest element Multiplication sign Demo (music) Web browser Software bug Revision control Field extension Hacker (term) Googol Videoconferencing Cuboid Damping Default (computer science) World Wide Web Consortium Execution unit Email Touchscreen Electronic mailing list Shared memory Cartesian coordinate system Cross-site scripting Graphical user interface Field extension Synchronization Website Right angle Quicksort Videoconferencing
Domain name Optical disc drive Functional (mathematics) Group action Googol Demo (music) Volumenvisualisierung Shared memory Right angle Videoconferencing Event horizon
Web page Functional (mathematics) Mobile app Context awareness Link (knot theory) Computer file Multiplication sign Demo (music) Coma Berenices Event horizon 2 (number) Synchronization Googol Cuboid Damping Extension (kinesiology) Address space Vulnerability (computing) Scripting language Email Touchscreen File format Bit Frame problem Cross-site scripting Field extension Googol Right angle Quicksort HTTP cookie Videoconferencing Computer worm
Domain name Mobile app Functional (mathematics) Greatest element Computer file Software developer Code View (database) Direction (geometry) Mobile Web Insertion loss Open set Web browser Bookmark (World Wide Web) Twitter Uniform resource locator Graphical user interface Field extension Uniqueness quantification Pattern language Website Extension (kinesiology) HTTP cookie User interface Injektivität Scripting language Mobile app World Wide Web Consortium Touchscreen Software developer Domain name Data storage device Sampling (statistics) Bit Regulärer Ausdruck <Textverarbeitung> Bookmark (World Wide Web) Cross-site scripting Connected space Similarity (geometry) File Transfer Protocol Graphical user interface Field extension Website Right angle HTTP cookie Communications protocol Data structure Extension (kinesiology)
Email Sensitivity analysis Machine code Code System administrator Direction (geometry) Multiplication sign Set (mathematics) Open set Function (mathematics) Malware Semiconductor memory Damping Extension (kinesiology) Information security Vulnerability (computing) Physical system Injektivität Scripting language World Wide Web Consortium Curve Email Touchscreen Spyware Software developer Data storage device Googol Hard disk drive Website output Right angle Quicksort Hacker (term) Writing Point (geometry) Functional (mathematics) Server (computing) Sequel Virtual machine Exploit (computer security) Hacker (term) Codierung <Programmierung> output User interface Standard deviation Demo (music) Information Validity (statistics) Assembly language Code Database Line (geometry) Directory service Software maintenance Cross-site scripting Field extension Software Point cloud Buffer overflow
Domain name Execution unit Multiplication sign Demo (music) Maxima and minima Mass Coma Berenices Software bug Field extension Keilförmige Anordnung Field extension Different (Kate Ryan album) Energy level Website Damping Extension (kinesiology) Communications protocol Vulnerability (computing)
Email Token ring Code Mobile Web Database Dynamic random-access memory Field (computer science) Number Sensitivity analysis Dean number Vulnerability (computing) God Chi-squared distribution Area Injektivität Demo (music) File format Port scanner System call Element (mathematics) Type theory Field extension Proof theory Message passing Googol Ring (mathematics) Password Website Hacker (term)
Web page Key (cryptography) Menu (computing) Twitter Sign (mathematics) Inclusion map Facebook Semiconductor memory Personal digital assistant Moving average Cuboid Website Software testing Vulnerability (computing)
Web page Server (computing) Parsing Local area network Multiplication sign Port scanner Database Web browser IP address Wiki Googol Extension (kinesiology) Fingerprint Physical system User interface World Wide Web Consortium Email Link (knot theory) Electronic mailing list Content (media) Port scanner Sign (mathematics) Inclusion map Kernel (computing) Software Pauli exclusion principle Right angle Local ring Session Initiation Protocol
Email Drag (physics) Demo (music) Set (mathematics) Coma Berenices First-person shooter Usability Web service Graphical user interface Cryptography Different (Kate Ryan album) Encryption Square number Website Extension (kinesiology) Local ring Logic gate Information security Vulnerability (computing) Structural load Software developer Data storage device Bit Public-key cryptography Message passing Data management Process (computing) Website Software testing Right angle Encryption Data structure Server (computing) Functional (mathematics) Software developer Real number Mobile Web Web browser Field extension Googol Gastropod shell Uniqueness quantification Representation (politics) output User interface Mobile app Vulnerability (computing) Key (cryptography) BEEP Code Coma Berenices Database Cryptography Frame problem Cross-site scripting Similarity (geometry) Field extension Graphical user interface Software Personal digital assistant Password Computer network Synchronization Local ring Extension (kinesiology)
Randomization Password Database Area Uniform resource locator Cryptography Field extension Hacker (term) Googol Green's function Local ring HTTP cookie Metropolitan area network Social class Computer icon Vulnerability (computing) Email Link (knot theory) Information Key (cryptography) Code Coma Berenices Login Database Cryptography Field extension Password Website Encryption Vacuum
Vulnerability (computing) Functional (mathematics) Demo (music) Multiplication sign Moment (mathematics) Code Coma Berenices Cross-site scripting Revision control Field extension Cryptography Field extension Googol Encryption Maize Local ring Vulnerability (computing)
Injektivität Module (mathematics) Plug-in (computing) World Wide Web Consortium Mobile app Demo (music) Information Multiplication sign Computer network Online help Open set Web browser Field extension Process (computing) Field extension Hooking Googol Software framework Website Right angle Extension (kinesiology) Local ring Message passing Computer worm
Computer virus Point (geometry) Dataflow Functional (mathematics) Direction (geometry) Data model Malware Field extension Internetworking Software Information security Physical system Vulnerability (computing) Point cloud World Wide Web Consortium Information Web browser Cross-site scripting Field extension Calculation Order (biology) Hard disk drive Right angle Quicksort Information security Buffer overflow Sinc function
Computer virus Android (robot) Existential quantification Multiplication sign Demo (music) Set (mathematics) Water vapor Client (computing) Coma Berenices Open set Mereology Web 2.0 Malware Web service Synchronization Different (Kate Ryan album) File system Damping Extension (kinesiology) Information security God Vulnerability (computing) Physical system Email Software developer Binary code Data storage device Menu (computing) Googol Wallpaper group Malware Telecommunication Order (biology) Hard disk drive Right angle Information security Surface Mobile app Functional (mathematics) Open source Computer file Virtual machine Exploit (computer security) Data storage device Web browser Internetworking Googol Operator (mathematics) Computer worm Maize Plug-in (computing) Installation art Operations research Plug-in (computing) Existence Web browser Graphical user interface Field extension Word Personal digital assistant Mixed reality Table (information)
so I'm Matt Johansson I'm a DJ whatever you want to call me oh I'm Kyle's born or the cause it's just cuz baby because oh I am the cause
a lot of people know me as Jack Bauer now so that's kind of the Internet Jack Bauer for the LA Times someone joined oh it is but someone's on video chat with us on a Chromebook so we both work for whitehat securities threat Research Center that sounds pretty much as epic as it gets right but um we are web app hackers you know oh yeah yeah I'm application security specialist blah blah blah offensive security fun stuff likes to make things scarier than they actually are but not fun like Kyle
breaks things Isis earth obligatory what our company does sometimes we scan websites for vulnerabilities just past four thousand sites very cool don't care okay so the
cr-48 this is what started this whole mess this is what started our research Kyle's you sitting on Google Plus on it right now this is the beta version of the Chromebooks that came out back in the fall of 2010 who who had a beta cr-48 in their suite yeah they were sitting on about 25 you have yours right there all right I have an extension I'd like you to install so uh so they were sitting on about 25,000 of these they mailed them out they gave whitehat one for us to hack on it and we wouldn't be here if we didn't right so we found some pretty cool things so before the cr-48 came out Chrome OS was out is no open source project you can install it on whatever machine you were running whatever VM you were running that kind of thing this is the first device that actually was dedicated to it and you know you utilized all of its features utilized all the security features that Google put in place yeah another thing is that this is no longer a beta product these are these are out in the public Samsung put them out as books did anyone buy oh cool see of you nice alright so yeah they're they're out there they're in production right now
yeah what we know about Chrome OS right it's a it's a web-based operating system we were actually shocked when we opened this laptop that it was just a browser it was just Chrome we were like oh okay a machine with Chrome on it I've already had one of those but so this this is all it is right it's just Chrome so in order to get any functionality on the out of this besides the web browser you've got to use the extensions in the webstore it's kind of like the Apple App Store but they obviously couldn't call it that so because of all of that nothing is stored locally right the hard drive you have no access to it as a user of this device you cannot touch the hard drive there you can't store anything on it it's small anyway you know nothing is really on it the file system is there it's just Chrome so because that it's pretty fast you open these things up and they're on you're online you're on the web browser and Google's kind of pushing you towards storing everything in Google Docs or you know your Google music anything like that they're pushing you towards the cloud right so you know the this is what they're putting up against the iPads of the world right that this is what they're putting up against Apple you know they're trying to steal some market share and it could very well sneak their way into the market these are the Samsung Chromebook only came back came out in June so even though we've had these cr-48 for a while they've only been available for public purchase for a few months so we don't really know what it's gonna look like if this is going to steal a bunch of market share or not so the analogy that we like
to make have made it a few times already is that these things are kind of like mobile devices but with keyboards right so it's an iPad with keyboard but it's just a web browser on it so the same way that on those phones like an iPhone or something like that is very locked down and in order you can't install anything on it you can't just go ahead and install Microsoft Word on your iPhone right wouldn't that be cool but in order to do anything with it without jailbreaking it you got to go to the App Store right so how many people in here have more than three pages of apps on their iPhone in their pocket okay a bunch of you right so if people go app crazy alright you got to download a bunch of different things so those of you who have iPhones have installed all these apps how many of you have seen the permission warning that comes up right this app you're about to install has gonna have access to your GPS location your call history your text messages your mother's maiden name your social security number all that kind of things right who said cancel because of that pop-up box not enough of you this is DEFCON come on alright so the say the same thing kind of happens in the Chrome Web Store when you go to install extension on Chrome right right below the install button it says what websites that that extensions gonna have access to talk to you so you will see some more examples of this in a second another thing we want to point out is that with the with the App Store there's actually a code review process or not necessarily code review there's an application for review process sort of like a QA sort of deal going on it's not a security review as far as I know but the Chrome Web Store doesn't have any sort of QA process going on so you go immediately from the third-party developer to the Google Chrome Web Store for anybody to download so a lot of these extensions are development by third parties right it could just be a person it could be Zynga or it could just be a person right google also has a bunch of extensions in there but we found a vulnerability in those too right so um oh yeah so because of like the lack of review process in the Chrome Web Store you can look it up right now there's a there's a extension called cookie stealer I promise we didn't make it but it's called cookie stealer and that's what it does and it's available for download go ahead we're gonna demonstrate a malicious extension that we developed later on in the talk it's called we named it malicious extension with with no in legitimate purpose whatsoever I did it and it got into the webstore no problem right you could have done with it no Sheldon it's not Baron if you took it down right away we put the icon as a picture of Justin Bieber it had four
million dough that's okay so so what does a hacker see right so we're looking at this Web Store as web hackers like heaven right this is a brand new attack service for us this is months old it's not even years old yet right so I'm sure this room more than anyone knows early on in a product lifecycle where does security come into play mmm just non-existent right so it's not making money early on it's it's costing money all right so a lot of these extensions are just coming out now so of course they're gonna have security holes in them because that's especially now because it's all just html5 and JavaScript so why do you need to worry about security in html5 and JavaScript you do most of that stuff server-side there are not very many attacks that a server can't block that get reflected back to user with html5 and JavaScript so so the other cool thing about a lot of these Chrome extensions makes them different than a lot of like the Firefox or Safari or in the explorer add-ons and things like that is these are just a little mini web sites and they're just used to help it like increase functionality of these Chromebooks especially but the Chrome browser I read you can install any of these on your machine right now a lot of them just take up very little screen real estate which is really important on a netbook if any of you use netbooks really important right so let's just get right
to what started the whole mess so this
this is kind of like their version of notepad right it's called scratch pad it's just a note taking application it was pre-installed it was the very first one on the cr-48 who's used it who's seen it used it who SCO 48 scratch pad right all right cool so it's a little nifty note-taking thing and the other feature that's cool about it is that automatically syncs to your Google Docs account and a folder called scratch pad right so and you're writing up your shopping list or your to-do list whatever you're doing this little tiny mini website in the bottom of your screen it syncs to your Google Docs account another feature of Google Docs that we've used in this exploit was that you can actually share a document or a folder with someone else who's using Google Docs and they don't have to give you permission to get that folder or document right which has been I guess mostly ok because Google Docs is pretty well protected but the scratchpad extension was not right so we you know we could go ahead and share our malicious document which you'll see in a second do anything right so just the key points that we wanted to push is that uh it comes default everybody that has Chrome OS has it you can install it on Chrome I really thought it cater to your Google to use it right the main feature of it is that it syncs to your Google Docs accounts you're definitely authenticated everyone has it it's on every single one of these Chromebooks and you don't need permission to receive anything and then on top of that Google
Documents lets you share across or lets you share to anybody without notifying them or allowing them to accept it it just automatically goes into their documents so it's completely stealthy if you want to this not only did they not need to give you permission there's a nice convenient checkbox when you share a document that says turn off email notification to the person so we can go ahead and share the document without the permission and they'll never even know that it happened right and this automatically syncs the scratchpad so google fix this cross-site scripting bug right away but I found it within half an hour of opening the cr-48 it was the very first extension I opened I threw in a tag and those sort of filter I didn't do any crazy web hacker stuff I threw in a tag it didn't handle it and we were like oh what can we do with this so at first we were trying to steal Olof tokens that it was using and things but then we just realized that it was talking directly to docs.google.com and dub dub dub dr go to google calm so we were able to do some cool stuff so we have a video since they fixed it right away right so this is in fall 2010 there's about 30,000 users at the time those are either chrome users or Chrome OS users that come default and the bottom right you can actually see the little yellow box there that is the permissions it gives you that it needs to actually function which is access to Google comm and Doc's at Google calm in your browser history and your browser
history for some reason cool so we're gonna go ahead and showing tenon functionality which is actually just adding a document and syncing it so this is uh this is a regular users account no big deal here the group's link right there so there's actually a scratchpad folder on the left if you can see that and that's actually where all your doctrines are stored and that's important to remember that it's in that scratchpad folder because we're going to be utilizing that feature to attack this victim so we're gonna go ahead and move over to the attackers Docs and you can see there's a inject right there that document right there that has a HTML and JavaScript in it now that's completely sane inside a Doc's cool calm it's not being a render there's no JavaScript being executed it's just the title of the document so from can you guys see the URL that we're calling so that we're basically using an on mouse-over event just for illustration purposes this could all happen automatically but we're gonna use an odd mouse over event to fire our JavaScript and it calls out to an external javascript file on Kyle's domain I am awesome calm that's the external javascript it expired so if when you want to go by it I guess I could have sold it here and made some money I don't know yeah they're never gonna share it so we're actually gonna be sharing the
scratchpad folder now when we share the
scratchpad folder from the attacker to the victim the full folder actually gets moved over so right here we go ahead and and throw the user ID or the username the the victim's email address into there and we uncheck that little nifty checkbox that says send me send email notification so we can just simply share to the user without any sort of notification so go ahead and share it will zoom back right over to the the victim's account and in just a second his Google account will sync with a shared scratchpad folder there it is and then in just a second it's gonna sync with scratch pad and now this is just an on mouse-over event so just a link with a javascript event we can make this all automated there's there's no reason that we couldn't just make it pop so what we're doing here we sourced in that javascript file into this completely sane extension this this extension provided by Google and we have now taken over the extension so made some nifty buttons at the JavaScript that do exactly what they say on them right for the purpose of the demonstration there buttons a lot of you know automation is pretty basic so the first button actually grabs your Google contacts because you're logged into Google and scratchpad needs to access Google com we can just pull down google.com slash contacts so I can have scratch pad just make a request pull down the export functionality pull all down as nicely format at CSV format Thank You Google and then I can wrap that simple it's
very possible then I can just wrap that up and spit it back out send it back to the attacker without the user ever really know anything another bit of functionality that scratchpad app has because it has acts to docs.google.com and dub dub dub cool calm I can actually spawn a tab with one of those host names in it and then I can inject JavaScript into that frame there's a nifty built-in function called an execute script yeah tabs that execute scripts in the API there we go so it's great because now we can effectively inject JavaScript to any web page we want and in the scope of this app it's only Doc's ah cool calm and dub dub got google calm but we can effectively inject our own JavaScript into these exceeds webpages without any sort of vulnerability in these web pages so there's no cross-site scripting that we know of in google.com that we're utilizing here we've simply just injected the JavaScript directly into the dom via these extensions and so you can see on the screen we just you know stereotypical alert box with a cookie in it so what we could have done here is shared a malicious folder with the malicious document with someone that we knew that was using scratch pad automatically execute JavaScript in the context of it grab your whole address book and your session and then force you to share that same document with everyone in your address book and so on and so forth and let's go ahead and not notify anyone that we did this so it's it was potentially a 0 click silent worm right so we can go ahead and just go steal every session of anyone who was using scratch bite at the time one click if you had to open the extension but this all could happen automatically if the extension was open so how do we do
this right so we've been talking about permissions a little bit here and there right so if you guys have played around with Chrome extensions at all when you when you have them installed locally the permissions are actually set in a file called manifest JSON and basically it just tells you what websites this extension can talk to you scratchpad can could talk to doc doc Google and dub-dub-dub Google but of course it can right so like view install a Google document note-taking app of course it's gonna be able to talk to Google Documents why would I why would that stop me from one you know from installing it but the cool thing here is that not only do the well the permissions are set by the third-party developer right so if they don't know any better what are they default to talk to every website you know I don't want to deal with this later and it breaks something so we've seen some we've seen some extensions out there that have these wide open permissions just basically the star can talk to star that don't need it but the other kind of scary thing is that some extensions need that permission something like an RSS reader all right how is there any way to blacklist or whitelist an RSS reader for what websites it's going to be able to talk to you so if you have an RSS reader extension it's going to need to talk to every possible website that's going to have an RSS feed on it so it's gonna have wide open wide open permissions and again Google does not check these extensions or the permissions that are set by the third-party developer before they're uploaded to the web store I saw
a quick overview of the API is that as an attacker I found interesting so the first three bookmarks cookies history those basically allow me to access edit do we insert bookmarks screens in history this is great because I can kind of pull down your whole history all your bookmarks all your cookies and then if I want to make trends I can figure out which websites you go to most often I can I can stage attacks based on that information or if I have direct API access to all of your cookies I can just pull down all of your cookies and impersonate you on every website that you're currently logged in and have a session with now windows and tabs windows and tabs pretty much all the extensions have this this is basically the API that allows them to create pop-ups create new tabs and create new windows it's pretty standard this is also we're talk too and I'm sorry or talk to any currently open window right so if an extension needs to talk to a website that you're currently open it doesn't need to pop something up or let you know and and this is the the awesome one because this is the one that has the functionality of tabs dot execute script so most of the extension you extensions utilize this API and most of them have the ability to call the execute script functionality and that's great because if most of them have it it just means it's that much easier for us to inject code into websites that we feel necessary to do so in the bottom there you see that that's a screenshot of what the manifest.json file like a sample manifest.json file it just had permission to you know storage notification tabs tabs of what we're talking about that's cool and then you'll see a sample wide open permission kind of regex right so it can match on any protocol any domain any path any protocol it's kind of tricky here it's not actually any protocol it's either HTTP or HTTPS so even though it's a star it's just those two things we can't start like initiating FTP connections and stuff like that through these things and you see that that's seen very often there are extensions in the wild right now with that with cross-site script I every once in a while I pull down the top 1,000 featured or most popular extensions I go through and I parse the manifesto JSON files and there's a good percent that have exactly that and of those I can usually find a few that have horner abilities so what are we looking
for now right as web hackers we're not looking for buffer overflows or anything like that and your software security it was perfect alright I was I was given we were given this talk at the executive briefing at blackhat is a little quick a couple minute of it and this guy was talking before me and he was talking about it couldn't have asked for a better person to be talking before me he went up there and he was talking about all new SLR and DEP and all this kind of stuff comparing Windows 7 and OS 10 and the latest and who's more secure this that the other thing he'd give this whole you know talk about that and I got up there and introduced ourselves and I said and this is exactly why we don't care what he just talked about we don't give about ASL art anything like that right we're talking about you know everything in the web now I don't care about what's on your hard drive you know these machines don't store anything locally even if they did you're storing everything in the cloud anyway right like we were just able to hijack everyone's Google account how many people live in Google I know I do all right it's all my email we were cracking up we were we were using Google Docs to pass out lines for this talk back and forth to each other that we just found a vulnerability in it while we were testing scratch pad I also shared extensions to Matt that he was not happy about our shared titles yeah so you know we're looking for the new set of usual suspects right we're not looking for insecure software on on your hard drive or anything like that we're looking for extensions that you know are gonna take input from somewhere and display it back on the screen for cross-site scripting vulnerabilities we're gonna we're gonna look for extensions that perform some sort of sensitive administrative function for you conveniently on some website for CSRF vulnerabilities we're gonna look for and we'll show it in a second we're gonna look for extensions that talk to a database for sequel injection vulnerabilities right these are web hacks that everyone's known about for decades and you know we're not doing anything fancy here you know I don't you know I don't want to write crazy buffer overflows ASLR bypasses anything like that we're just writing JavaScript and we're we're doing some pretty cool stuff so you know the other unique thing about these extensions is if you find cross-site scripting on a web site you can attack the users of that website if you find cross-site scripting on an extension with wide open permissions you can potentially attack the users of every website that that user is using that's completely different we you know we're not seeing that a lot today this is this is kind of new so we have a
direct quote from Kyle here and so why are we gonna why we gonna spend all these all this time what I was like I was saying why are you spend all this time trying to learn assembly code or anything like that when javascript is really easy so social is this small child that is a quote that I said so across that script is going to give you everything you know we want and more an exploit development art like I don't I don't have time to learn it I'm not smart enough to learn it Kyle agrees that I'm not smart and all these ap eyes are really easy and you know callable by JavaScript you know maybe we can get like a memory based now Laura Kiely aqui lager in this system if it really felt like trying to break the sandbox or something like that I mean no one even showed up at Kent's a quest to try to break the sandbox that's not what I'm gonna spend my time doing the return on investment isn't worth it there all right the the impact is so high with these vulnerabilities but the the learning curve is so low it's it's really just JavaScript most of the attacks can be done in two to five lines of a JavaScript and it's it would be pointless to really do any sort of in memory malware because as soon as you reboot the machine it's lost your your attack window it's a probably shorter amount of time and you can't really do much once you get the code execution the hard drive is read-only besides your home directory but nothing in your home directory is executable so you can't even maintain persistence with native code execution see the other thing that we haven't seen yet that we're seeing here is that if we're gonna fix this besides fixing just the cross site scripting holes a lot of the sanitization might have to happen client-side right these extensions are locally right so usually when you fix cross-site scripting you're doing some sort of input validation or output encoding on the server side what if these extensions don't talk to a server at any point right and like they're just grabbing information locally things like that you know then then the standardization might have to happen client-side that's that's crazy we don't even know what that's going to look like so let's get to another fun demo so this
is a purposely malicious extension that we threw together just to demonstrate
the vulnerabilities this extension pretty much has the same permission levels as the scratchpad extension does
it's it's nicely named malicious extension so anything we do here we
could have done with scratch pad can't do it anymore because the Google fixed it so no big deal actually I take
that back the only difference between a scratch pad extension is that instead of having only access to Google com we have access to star colon slash last star we can access any domain any host name any protocol and that's actually very common yeah like we said there are extensions out there RSS readers things like that like that I think at the time the top-rated RSS reader in the top used RSS reader had an XSS bug in it and had permission to talk to every website when we found it back in December but this is just a little easier to demonstrate right so so with this extension here I'll go down to maximum oh great okay so with this extension here we just have the nice little buttons again of course we've seen the Google contacts we can just pull that up and there you go
there's your Google contacts and a nice CSV format now this is a fun one yeah we
did yeah so who who wants to come up on stage and type their phone number in wedgy come on I promise it's a password field no one will see it one at the area code and your number no no so what we're doing here is a since this extension as permission to the whole web site it also has permission to Google Voice right so we're actually able to hijack that parsed Google Voice it's CSRF token on the fly and then some proof a text message or actually I changed it so it's no longer a text message I'm actually spoofing a phone call so as a user I wanted to get someone to call someone I would I would have Matt within a vulnerable Injection or vulnerable extension I would pop as it is extension then I would force a phone call to his phone and then that would call whoever I want it to be our last one was also a text message but it's not limited to that we can pull down your call history we can pull down your text messages sure we can pull down your voicemails it's it's really not limited at all your phone ring no yeah minoring no yes it's using the victims what was voice account to have to call you so you actually as an attacker you were just using my Google Voice account which then called you and that could all be automated again it's just like buttons because they're pretty the demo gods are not smiling know this anyway let's grow another fun one which is execute alert which executes JavaScript the same thing with Google calm so we're
just gonna go ahead okay google calm
Facebook JavaScript injected Twitter
Yahoo and Chase is still giving some
airs so let's just go ahead and pretend there's an alert box there proceed I won't actually work I don't think that works yeah oh look at that anymore
there we go so these these websites don't have any vulnerabilities in them they're probably do well I'm sure they do it's case we don't have permission to test that we we haven't exposed and you're utilized any vulnerabilities in these websites we're just injecting co2 them so we could go one step further instead of alert why don't we just inject a JavaScript key logger I mean there's your in memory now where you now have a key logger in every page that you go to and it's not just spawning tabs I can contact tabs that are already open and injects as much or whatever I we can
listen for what tabs you're opening we can view your history right via the
history API we can watch I Love Lucy alright so then another fun one which
hopefully it doesn't kernel panic your Mac again kernel panic on Mac earlier
let's we can actually do xhr scans
because we have access to colon star dot
star or whatever we have access to everything this also includes IP addresses so we can actually use xhr requests to scan your local subnet and look for anything listening on port 80 I didn't do this on this one and we'll see if anything pops up and hope to god that it doesn't oh yeah button doesn't work my button doesn't work oh that's not good - all different yeah we can basically do any port that's not restricted by the browser so the browser has it hard-coded you can't access like port 20 through 25 you can't do like IRC you can't do SMB stuff so you want to be able to do s and be scanning and the network - you look for Windows host but you could pull down a local list of web servers in your local area network so I could potentially fingerprint your internal network by taking over one of your extensions scan your internal network look for fancy things say you have JIRA listening or you have maybe there's printers there that I can take advantage of who was that our black hat talk anyone yeah okay cool that's it yeah so we felt we found a printer we did the xhr scan and there was a printer listening that we could have printed on the podium at blackhat when we did that was pretty awesome I don't know why this isn't working now it's probably somewhere they may not there may not even be anything I bet they have it yeah we might be segregated so it's kind of cool because you can you can see it dudes little thing here and it scans really fast like it scanned all it made all those requests at the same time and it's it's a very quick scan and we can we can pull back not only the fact that the host is up because we have access to the content on all the pages we're requesting we can pull back the full HTML page and the headers so if you do have like JIRA or some wiki or ticketing system on your internal network we can pull that back parse that page and find it exactly what it is and then from there we can as an attacker go okay
great you have JIRA I have as JIRA zero-day
from your web browser I'm actually going
to own your JIRA server load up a
meterpreter session and suddenly I have a Rachelle from your JIRA server that I
attacked from your browser calling out back to me and I have a real shell on a server inside your network so what's his last pass who's heard of it uses it okay for those of you don't know what it is it's a password manager right so us as security guys we're always telling people hey you need to use different passwords for everything right Oh use the different password for every website that you go to and remember them all alright so the you know this last past is actually a website that helps that make makes that a little bit more user friendly right so you go there you make one password for LastPass it it generates passwords for all your different sites stores them securely it actually is really awesome service Kyle used it and that's why we found well the vulnerability in it they have an extension in chrome it had cross-site scripting in it when we first were testing it but they fixed it right away they've actually been really awesome to work with so there's no vulnerability in it right now so this is kind of our demo of like we can own an extension that has no vulnerability in it that's doing absolutely everything correctly and it's pretty cool all right so when I was testing my last best extension I did find a vulnerability some pretty hard to manage on drag whatever they fixed that pretty immediately but I realized as I was testing it there's this functionality of the extension that all as long as you're logged into the extension it'll automatically log you into the LastPass website so if you're logged into the extension like you are I mean you're going to be logged into the extension if you're browsing the net you want to be able to access your gmail account without being logged in you you don't want to have to reopen a gate so you've always got the little red square up there saying that you're logged in so when you that's when that's a case you can go to LastPass comm and it'll automatically log you into LastPass comm it does this because the extension notices that you went to LastPass calm and it kind of handle it handles the login process for you it lets the server know that you're actually logged in and then it passes your local crypto key from LastPass to the to the web browser or to that of the frame so real quick LastPass like Matt was saying great service it handles all of your encryption locally so so your database that you send them is all encrypted it's it's not in clear text and your password has never actually sent to them it's it's all stored locally it's it's all in the Dom it's all decrypted in the Dom with with a representation of your password so anyway it passes that local key to that frame now we can take advantage of this this automation because we can if we say we own an RSS reader just Joe Schmoe RSS reader some third-party developer that you know doesn't really know anything about security but make some great extensions and say has like 500,000 downloads in the App Store right now we can we can spawn a tab for LastPass where of course you know not speaking of any actual top-rated RSS reader with a vulnerability in it currently or anything like that so we can we can spawn a new window with LastPass and what this does is the LastPass extension then goes in and and notices that window so it thinks that you opened that window and that you want to go to LastPass com so it automatically logs you into your online vault and you know you can change settings there and all that and access all your passwords and and that's great but instead of allowing the user to do that we're gonna have the extension automatically open this window allow the extension to log you in and then inject JavaScript to pull out your crypto key so now I've got your private key to decrypt your database then I'm gonna just you know grab your database because I can do that it's very trivial and we're gonna demonstrate it right now we
could just decrypt it locally in our
hacker den at home it's like a man cave but with more green lights and neo so
we're logged in right now and we've got recently used so okay Google and a bank so if we go ahead and click grab LastPass database it's gonna spawn it up it's gonna automatically load it up so
we're logged in no prompt from the user in just a second it's gonna you know change so okay so here is your actual crypto key up there is weird way of passing it between the extension now I grabbed your database and then I just decrypted it on the fly and threw it right there so what we can do with this is we can just grab the database send it back to us with your key and then suddenly I've literally got the keys to the kingdom I don't know about you guys but I put way too much information in my last class extension I've been using it for about two months and I probably have close to about 50 sites or more that I just used because I slowly switching away from my weaker passwords to the really long random stuff but that doesn't matter if an attacker can just come in and literally steal my LastPass database and cryptographic key that's my password too so we did this at blackhat and we didn't actually write this is not really in my password DEFCON don't try to log in and someone logged in and sent us an email they were very nice and they didn't change the password on us and lock us out but we didn't trust you guys yeah you look shifty oh you evil anyway so so the important thing to know about
this is that it there's no vulnerability
LastPass at the moment we're not taking advantage of anything that LastPass is
the No No cross-site scripting that we know about what we did find they fixed immediately there's the extension itself is not vulnerable anymore and actually this functionality is no longer there they made it so you actually have to click it from within the extension so still ownable but the extension doesn't automatically log you in but if you are logged in we can still own it all right so it's not as automatic and cool as what our demo is but it's still own appeal and that is the last version of LastPass so you're all safe now I promise so we're running out of time so
let's try to fly through some of this so how many of you guys know what beef is I've heard of it I'm hoping some of you alright how many know what Metasploit is hoping a lot more than you okay cool so beefs kind of like the Metasploit of the web web app right so you can store a lot of pre-loaded kind of payloads and things like that to do cool stuff and help making hacking websites easier right so if you find a job across that scripting vulnerability in in a website instead of just hoping that your JavaScript does but you wanted it to do the first time that you passed this injection you can pass it a beef hook which is what it's called and it actually maintains access and you can just replay attacks over and over again so it makes everything that we did just really really easy right so I made this even easier and I pretty much just took
all of the demo functional I did and I threw them into beef extensions beef modules so now when you own an app all you got to do is hook beef and suddenly you have beef inside the extension you can maintain access and you can send commands as you want good so your quote I'm not there yet so first check permissions like if you don't know what extension you're in for whatever reason all the extensions we tested are all local so we don't really need to check the extensions but if somehow you managed to own an extension that you're not really familiar with you can hit this module and it'll give you all that information execute tabs xqr baterry javascript inside of all tabs so if you want to inject a keylogger it's pretty simple and my favorite inject beef so basically if you have tabs open and I want inside of those tabs instead of doing execute tab I can just inject beef into those tabs so I suddenly go from one beef session to 50 beef sessions because you have 50 tabs open so now not only am i inside your extension but I'm actually inside bankofamerica.com I'm inside your PayPal account I'm inside of every website or every tab that you currently have opened and it's it's well do your quote yo dawg i heard you like beef so i put beef in your beef so you can befall you beef perfect and the other three just do kind of with the other demos that we had so basically our
main point that we're trying to push here right is that this is kind of the same problem we've been dealing with forever we're just it looks different right so this isn't the end-all be-all of security but it's definitely a step in a direction you know you it eliminates a lot of modern malware and viruses because you can't talk to the hard drive but that doesn't you know mean that we still don't want the information in you that you're storing on the internet now and if you're using one of these devices you're being pushed very heavily to store a lot of information on the Internet right in order to get functionality of these so like I said we're not looking for these buffer overflows under flows any sort of stuff like that you know we're just looking for cross-site
scripting which is you know the most widely seen vulnerability on the web today and since you're literally taking the desktop out of the desktop operating system you have to rebuild all the functionality that you're used to with your desktop operating system you don't have a calculator anymore so you have to download a calculator extension you
don't have a mail client so you have to use some mail client or notification system to do to recreate that so one of the things that one of the first things that people ask as soon as I tell them that any of this research is what about the sandbox all right I hear about this chrome sandbox did you guys break it did you guys you know break the chrome sandbox oh my god right we didn't break it we just went around it these extensions actually live outside of the sandbox so what a Samba but the sandbox does for anyone is not familiar is it isolates each tab from any other tab that's open and also isolates that tab from the hard drive so that's why it eliminates a lot of the modern malware and viruses that we see today but these extensions actually control their own kind of inter tab to their communication and again I made that word up and I think it's awesome inter tabular right so so these extensions completely control the communication on their own set the the the permissions that are set locally and they live outside the sandbox so instead of breaking it we're walking right around it we pour water in your sandbox so you know again just to harp on this these permissions are set by the third-party developer you know they're not set by Google and they're not checked by Google but you know a lot of that stuff that Google did put in place has made some awesome improvements in security we're just kind of here to say hey that's not it that's not like the end-all be-all one other really cool thing that they did on the Chrome Web Store is explicitly like we're not allowed to attack the Chrome Web Store via any extensions it's actually hard-coded into the chrome source that you cannot in none of the extensions can interact with the Chrome Web Store and the reason they did this because is because if we could we could force you to install an extension so we can kind of do a privilege escalation right so if you had a scratch pad installed with vulnerability that can talk to docs.google.com in and we could do some more stuff but we can't do that they thought of that way before we did so but so we're gonna we're gonna we're gonna fly past this because we didn't do too much research on it but nifty new feature of Google the market Android com who's used it who knows what it is okay cool a bunch of you so you can install apps on your Android phone from the internet that's not blacklisted so we can actually force install apps onto your phone via across a certain part of Google services as soon as you go to that website you're automatically logged on and your phone is listed in these this sync devices so we can literally open up a tab spit some JavaScript at it and force you to download and install our own malicious extension again a probably adjusting beaver wallpaper and then we can just harvest information off of your phone without you ever knowing because it doesn't really prompt you on your phone it doesn't tell you that something's about to be installed it just tells you justin beaver live has been installed finally got it yeah so just in discussion with the Google security team we've been we've been talking to them this whole time they're really cool guys one of the ideas that they have for kind of fixing this in the future is creating more restrictive api's for common use cases things like RSS readers they're gonna eliminate a lot of the risk involved with that they're gonna try to create api's for extensions that absolutely need to use this wide open permission set in order to function properly this unfortunately does not eliminate the threat of a developer not knowing any better and creating an extension with lot of permissions right so it's just for common use case API so it's not going to eliminate it but it could absolutely do sit that's it
alright one more thing that we wanted to note is that all of this is the same for Chrome browser the only difference between Chrome OS and Chrome browser is that Chrome browser on a Windows Mac Linux machine is just another operating or another person just another browser so you're probably not going to be installing tons and tons of its extensions unlike the Chrome OS one other thing to note is unlike Chrome OS the Chrome browser can install extensions with binaries on them as plugins so LastPass actually has the ability to sync your LastPass logged in status among your other browsers using the binary we can actually interact with some of those binaries with JavaScript and I haven't looked into a whole lot of it but with LastPass alone there's functionality to read arbitrary files on the file system so if I owned your LastPass extension not only do I own everything in LastPass I can read random files from your hard drive as I feel cool thanks guys we'll be in the Q&A be across-the-hall if you want to talk to us