Cybersecurity firm Synacktiv has found that hackers can compromise Chromium-based browsers like Chrome, Edge, and Brave by directly altering preference files. This allows attackers to silently install malicious extensions without the user's consent or involvement from the Chrome Web Store.
An attack of this kind has three main requirements:
- Pre-calculating the extension ID.
- Generating valid message authentication codes (MACs) for the extension and a specific developer mode flag.
- Bypassing enterprise policy controls.
How Hackers Bypass Enterprise Controls
Enterprise environments often use Group Policy Objects (GPOs) to control which extensions can be installed. However, Synacktiv found three ways to get around these controls:
- ID Collisions: An attacker can reuse the public key of an approved corporate extension, like Adobe Acrobat Reader, to create a malicious extension with the same ID. When an installed extension and an unpacked version share the same ID, Chromium prioritizes the unpacked, malicious one.
- Registry Manipulation: A local administrator can simply delete or change the registry entries that enforce extension allowlists and blocklists, sidestepping policy enforcement entirely.
- Local Overrides: Since Windows applies policies in a specific order, local administrator changes can override Group Policy settings, removing allowlists or blocklists.
The Dangers of "Phantom Extensions"
By using these techniques, attackers can deploy malicious extensions that can intercept network traffic, steal session cookies, and inject scripts into web pages. A proof-of-concept toolkit from Synacktiv demonstrates how these extensions can be deployed remotely and communicate with a command-and-control server to run JavaScript code within the browser.
To protect against this threat, it is important to monitor for unauthorized changes to preference files, check the integrity of registry policies, and detect any unusual extension registrations. Without these security measures, these "phantom extensions" can provide a stealthy and persistent way for attackers to steal data from an entire enterprise.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
