To simulate a request to the server, I ran: curl -o actions.json You’ll need to create your own UID if you want to get your very own instructions. The extensions asks the following permissions: 1
Generally, looking at the requested permissions and listed scripts gives an idea of what the extension will do. This is a metadata file containing information about the extension such as its name, description, version number, permissions, and so on. A facade of utility The extension manifest is suspicious at bestĪ good place to start is the extension’s manifest, a file called manifest.json.
A list of almost identical extensions being offered by Viralands on the Chrome Webstoreįeeling that something was completely off, I decided to take a look at the extension’s code before doing anything else. They’ve now been removed, but back when I looked at it, those extensions had a total of 132,265 users. A quick search for their other extensions revealed that they had 9 visibly identical extensions. The extension is allegedly offered by a website called (not linking to them).
The Chrome extension that I would have to install in order to "verify my age"
What wasn’t justified, though, was the fact that this verification had to be done by installing a Chrome extension. The semi-raunchy nature of the content made it seem sort of justified. I was instantly greeted with a message saying that I should verify my age before I could view the content. Intrigued, I decided to go down the rabbit hole and see what this was all about. Now I know my friend he’s a smart guy, so I don’t really see him liking tons of this (frankly) crap content.
One of the posts that my friend had Liked.
Even weirder: every single post on that page is posted 25 times. They would always have around 900 Likes and no comments, while the page behind them has about 30 Likes. I had noticed a pattern: it was always the same friend who would Like the same type of links. Now clickbait content is far from uncommon on Facebook, but something was off in this case. On my Facebook news feed, I had noticed that one of my friends was regularly liking some weird, lewd, clickbaity links. I’ve taken the liberty to remove some lines that were irrelevant to the point I was making, but everything else is really as I have found it. However, I still want to show how this malware functions, so I’ll be posting extracts of the code in this post. I’ve hesitated a lot about publishing all of the code, but have finally decided against it I would never want to help propagate malware. In this post, I’ll share what I have found by investigating one such malware extension that a friend of mine was infected by. They’re still quite unregulated territory, and although there are inherent limits to what they can do, there exists little to no protection against extension malware - your antivirus can’t help you here. It seems like most people are unaware of how big of an attack vector browser extensions have become. But there’s still a weak link in the chain: a rogue browser extension can impair all of those security measures.
This move to online services has required that we up the security of our online services, and due diligence has brought us HTTPS-only sites, two-factor authentication, and so on. With web apps for everything, we have placed our most intimate data on online services such as Facebook, Amazon or GMail. Increasingly, browsers are taking on a central role in our daily lives. Malware in the browser: how you might get hacked by a Chrome extension