Chrome users faces 3 security issues over the past 24 hours

[wall03]

Summary

 

Users of Google’s Chrome browser have faced three security concerns over the past 24 hours in the form of a malicious extension with more than 2 million users, a just-fixed zero-day, and new information about how malware can abuse Chrome's sync feature to bypass firewalls

 

Quotes

Quote

First up, the Great Suspender, an extension with more than 2 million downloads from the Chrome Web Store, has been pulled from Google servers and deleted from users’ computers. The extension has been an almost essential tool for users with small amounts of RAM on their devices. Since Chrome tabs are known to consume large amounts of memory, the Great Suspender temporarily suspends tabs that haven’t been opened recently. That allows Chrome to run smoothly on systems with modest resources.

 

Google's official reason for the removal is characteristically terse. Messages displayed on devices that had the extension installed say only, “This extension contains malware” along with an indication that it has been removed. A Google spokesman declined to elaborate.

 

The longer back story is that, as reported in a GitHub thread in November, the original extension developer sold it last June, and it began showing signs of malice under the new ownership. Specifically, the thread said, a new version contained malicious code that tracked users and manipulated Web requests.

 

 

Next, Google on Thursday released a Chrome update that fixes what the company said was a zero-day vulnerability in the browser. Tracked as CVE-2021-21148, the vulnerability stems from a buffer overflow flaw in V8, Google’s open-source JavaScript engine. Google rated the severity as “high.”

 

Once again, Google provided minimal information about the vulnerability, saying only that the company “is aware of reports that an exploit for CVE-2021-21148 exists in the wild.”

In a post published Friday by security firm Tenable, however, researchers noted that the flaw was reported to Google on January 24, one day before Google’s threat analysis group dropped a bombshell report that hackers sponsored by a nation-state were using a malicious website to infect security researchers with malware. Microsoft issued its own report speculating that the attack was exploiting a Chrome zero-day.

 

 

Lastly, a security researcher reported on Thursday that hackers were using malware that abused the Chrome sync feature to bypass firewalls so the malware could connect to command and control servers. Sync allows users to share bookmarks, browser tabs, extensions, and passwords across different devices running Chrome.

 

The attackers used a malicious extension that wasn’t available in the Chrome Web Store. The above link provides a wealth of technical details.

 

A Google spokesman said that developers won’t be modifying the sync feature because physically local attacks (meaning those that involve an attacker having access to the computer) are explicitly outside of Chrome's threat model.” He included this link, which further explains the reasoning.

 

My thoughts

Welp... maybe we shouldn't all rely on Chrome 100% of the time?

 

Sources

https://arstechnica.com/information-technology/2021/02/chrome-users-have-faced-3-security-concerns-over-the-past-24-hours/

[WaggishOhio383]

Me reading this while using Google Chrome:

 

5 minutes ago, wall03 said:

The attackers used a malicious extension that wasn’t available in the Chrome Web Store. The above link provides a wealth of technical details.

On a more serious note, if the extension isn't available in the Chrome Web Store, how would people actually have it on their computer for the attackers to utilize?

[WhitetailAni]

5 minutes ago, WaggishOhio383 said:

Me reading this while using Google Chrome:

 

On a more serious note, if the extension isn't available in the Chrome Web Store, how would people actually have it on their computer for the attackers to utilize?

Is that an iMac G5?

Yep, that's an iMac G5.
And which extension?

[The_russian]

5 minutes ago, WaggishOhio383 said:

On a more serious note, if the extension isn't available in the Chrome Web Store, how would people actually have it on their computer for the attackers to utilize?

The article in the link describes how: 

Quote

In this case, however, the attackers did not use Chrome Web Store but dropped the extension locally in a folder and loaded it directly from Chrome on a compromised workstation. This is actually a legitimate function in Chrome – you can access it by going to More Tools -> Extensions and enabling Developer mode, after which you can load any extensions locally, directly from a folder by clicking on "Load unpacked":

So it sounds like the attacker would need physical access to a computer with your Chrome account logged in, if I understand it correctly.

[Akolyte]

Good luck finding a good browser that isn't based on Chromium these days.  Let's all just switch to Netscape. 

 

On a serious note though, I see this as less of an issue with Chrome (although there was a CVE), I consider this to me more a message to everyone regardless of browser, that extensions are applications that run inside of your browser, and as browsers become more capable, these extensions can have greater capabilities in an OS-Interaction Context. 

 

Be careful of what permissions you give extensions - if it looks like  it's using more than it needs, maybe don't install it until you've further researched it. 

 

This could've been very close to a "millions of Chrome users passwords sent to Chinese Public Cloud Servers"  Luckily though, the intentions of the malicious party was probably only advertising fraud. 

 

 

8 minutes ago, WaggishOhio383 said:

On a more serious note, if the extension isn't available in the Chrome Web Store, how would people actually have it on their computer for the attackers to utilize?

 

I think it was available in the web store, and the compromised version was in the web store which ended up losing track with it's Git Commits.   So effectively, users viewing the Git Repository for the extensions weren't aware of the malicious scripts being executed.   It was removed from the Web Store recently though. 

 

If you use this after June, then you are affected. 

[Akolyte]

2 minutes ago, The_russian said:

The article in the link describes how: 

So it sounds like the attacker would need physical access to a computer with your Chrome account logged in, if I understand it correctly.

I could've read the reference article incorrectly, but here's a statement from it: 

 

"Using the chrome web store version 7.1.8 of this extension, without disabling tracking, executed code from an untrusted third-party on your computer, with the power to modify any and all websites that you see"

 

I personally didn't see any reference to the necessity to manually install the extension onto your workstation.  I thought that the maintainer put bad code on the Chrome Store but didn't make the same changes on GitHub. 

[The_russian]

2 minutes ago, Akolyte said:

I could've read the reference article incorrectly, but here's a statement from it: 

 

"Using the chrome web store version 7.1.8 of this extension, without disabling tracking, executed code from an untrusted third-party on your computer, with the power to modify any and all websites that you see"

 

I personally didn't see any reference to the necessity to manually install the extension onto your workstation.  I thought that the maintainer put bad code on the Chrome Store but didn't make the same changes on GitHub. 

I see why there's confusion. The story is about 3 different security issues. You are referring to the first one, the The Great Suspender extension. I was replying to someone asking about the third security issue, how attackers used a malicious extension not found on the Chrome web store that abused Chrome's sync feature. 

[Arika]

Firefox go

[Bombastinator]

2 hours ago, Akolyte said:

Good luck finding a good browser that isn't based on Chromium these days.  Let's all just switch to Netscape. 

 

On a serious note though, I see this as less of an issue with Chrome (although there was a CVE), I consider this to me more a message to everyone regardless of browser, that extensions are applications that run inside of your browser, and as browsers become more capable, these extensions can have greater capabilities in an OS-Interaction Context. 

 

Be careful of what permissions you give extensions - if it looks like  it's using more than it needs, maybe don't install it until you've further researched it. 

 

This could've been very close to a "millions of Chrome users passwords sent to Chinese Public Cloud Servers"  Luckily though, the intentions of the malicious party was probably only advertising fraud. 

 

 

 

I think it was available in the web store, and the compromised version was in the web store which ended up losing track with it's Git Commits.   So effectively, users viewing the Git Repository for the extensions weren't aware of the malicious scripts being executed.   It was removed from the Web Store recently though. 

 

If you use this after June, then you are affected. 

Google did do a fairly effective job forcing that one.  Same technique as microsoft used for things like C sharp.  They didn’t quite follow protocols but claimed they did.  Then they gave away free tools which would produce code that only really worked reliably with chromium browsers.

[DrMacintosh]

Wait, does Chrome not put inactive tabs to sleep? 

[Neftex]

9 hours ago, gabrielcarvfer said:

Netscape/Firefox? After the deranged CEO nonsense, it's not an option.

can you elaborate?

[kaiju_wars]

This just makes me more glad I switched to Firefox.

[RejZoR]

Laughs in fox dialect.

[Mark Kaine]

On 2/5/2021 at 11:00 PM, Akolyte said:

Good luck finding a good browser that isn't based on Chromium these days.

Samsung internet? 

 

Although it's not as good as it used to be so maybe it's chromium based also...