SlideShare a Scribd company logo

[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012

Zoltan Balazs, profile picture
Zoltan Balazs

The document discusses the history and risks of malicious browser extensions. It begins with a brief history of malicious Firefox extensions from 2004-2012, noting a rise from 5 extensions in 2011 to 48 from January to October 2012. The document then demonstrates a home-made Firefox extension that can perform command and control, steal cookies/passwords, and execute code remotely. It discusses disadvantages of browser extensions compared to other malware. Finally, it acknowledges risks of zombie browsers and calls on antivirus developers, browser developers, website developers and users to address these risks.

Technology
Related topics:
IT Security
1 of 47
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Introduction Zoltán Balázs ITSEC consultant Deloitte Hungary OSCP, CISSP, C|HFI, CPTS, MCP http://www.slideshare.net/bz98 Cyberlympics finals Member of the gula.sh team
I love Hacking
I love Zombie movies
I love LOLcats
Zombies + Hacking + LOLcats = I R ZOMBIE BROWSER
Zombie browsers, spiced with rootkit extensions Hacktivity 2012 • Legal disclaimer: • Every point of views and thoughts are mine. • The next presentation’s contents do not have any connection with my employers opinion, whether past, present or future. • What you will hear can be only used in test labs, and only for the good.
About:presentation • History of malicious extensions (add-on, plug-in, extension, BHO) • Focus on Firefox, Chrome, Safari • Advantages – disadvantages • Browser extension rootkits • Live demo – home made extension
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
History of malicious Firefox extensions • 90% of malicious extensions were created for Facebook spamming • 2004-2010: 5 • 2011: 5 • Jan 01, 2012 – Oct 06, 2012: 48* *Data from mozilla.org
More examples on Facecrook Text ©f-secure
My zombie extension • Command and Control • Stealing cookies, passwords • Uploading/downloading files (Firefox, Chrome NPAPI on todo list) • Binary execution (Firefox - Windows, Chrome NPAPI on todo list) • Geolocation
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
Safari demo
Installing the extension Physical access Social Engineering Remote code execution – without user interaction
Firefox rootkit 1 • Hook into other extension (even signed ones)
Firefox rootkit 2 • visible = false
Firefox rootkit 3 • seen in the wild
Quick Quiz - for Hacker Pschorr
Quick Quiz • Which company developed the first Netscape plugin? • *****
Quick Quiz • Which company developed the first Netscape plugin? • A***e
Quick Quiz • Which company developed the first Netscape plugin? • Adobe in 1995
Risks of a Zombie Browser • Eats your brain while you are asleep
Risks of a Zombie Browser
Risks of a Zombie Browser • Firewall/proxy  • Local firewall  • Application whitelisting  • Web-filtering 
Risks of a Zombie Browser • Cross-platform  • Cross-domain Universal XSS  • Every secret is available  • Password input method does not matter (password safe, virtual keyboard, etc.) • Before SSL (+JS obfuscation) • Malicious source codes are available  • Advantage against meterpreter  • exe/dll is not needed for persistence • Writing into registry is not needed
Risks of a zombie browser • Low AV signature based detection rate  • Sample from January 2011. – October 2012. 0/44 • Extension vs. behavioral based detection 
Risks of a zombie browser • Low AV signature based detection rate  • Sample from January 2011. – October 2012. 0/44 • Extension vs. behavioral based detection 
Friendly message to AV developers: try harder… Code snippets from undetected malicious browser extension var _0x39fe=["x73x63x72x69x70x74","x63x72x65x61x74x65 x45x6Cx65x6Dx65x6E x74","x74x79x70x65","x74x65x78x74… _0xaed4=[_0x39fe[0],_0x39fe[1],_0x39fe[2],_0x39fe[3],_0x39fe[4],_0x39f e[5],_0x39fe[6],_0x39fe[7],_0x39fe[8],_0x39fe[9]]; keylogger_namespace.keylogger… for(var x in mothership){if (mothership[x].command == "eval") {eval(mothership[x].data);
Profit ...
Firefox
Disadvantages (for the Hacker) • Not a real rootkit • Browser limitations (eg. portscan) • Platform limitations (eg. Execute binary code only on Windows) • Runs in user space • Runs only when browser is open • Extensions are not yet supported in: • Chrome on Android/iOS • Safari on iOS
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
Chrome - rootkit
Chrome - distributed password hash cracking • Idea and coding by my friend and colleague, WoFF • Password hash cracking performance • Javascript: 82,000 hash/sec • Chrome native client: 840,000 hash/sec • Native code (john): 11,400,000 hash/sec
ChromeOS DEMO
ChromeOS DEMO Not today :-( no extension install from 3rd party site no Flash, no Java, no NPAPI
ChromeOS DEMO Not today :-( no extension install from 3rd party site no Flash, no Java, no NPAPI
Firefox webcam
Browser extensions might be bad • @antivirus developers • Be reactive • The browser is the new OS • @browser developers (Mozilla) • Default deny installing extensions from 3rd-party sites • Chrome-level security • Require permissions • Extension components – separate privileges • @browser developers (Google) – keep on the good job • but disable NPAPI :)
Browser extensions might be bad • @website developers • There is no prevention against password stealing • Cookie-stealing • Restrict session to IP (by default) • @users • Beware of malicious browser extensions • Use separated OS for e-banking and other sensitive stuff • Removing - create new clean profile in clean OS • @companies • Control which browsers users can use • Restrict extensions via GPO
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
Browser extensions might be bad, Mmmkay??? zbalazs@deloittece.com zbalazs4 hu.linkedin.com/in/zbalazs Code will be released under GPL in 2012 Greetz to @hekkcamp
References • Grégoire Gentil: Hack any website, 2003 • Christophe Devaux, Julien Lenoir: Browser rootkits, 2008 • Duarte Silva: Firefox FFSpy PoC, 2008 • Andreas Grech: Stealing login details with a Google Chrome extension, 2010 • Matt Johansen, Kyle Osborn: Hacking Google ChromeOS, 2011 • Nicolas Paglieri: Attacking Web Browsers, 2012

More Related Content

PDF
Zombie browsers spiced with rootkit extensions - DefCamp 2012
DefCamp
 
PDF
Defcon 22-david-wyde-client-side-http-cookie-security
Priyanka Aash
 
PDF
Wi-Fi Hotspot Attacks
Greg Foss
 
PDF
DEFCON 23 - jeremy dorrough - usb attack to decrypt wifi communicationsn
Felipe Prado
 
PPTX
Browser Security by pratimesh Pathak ( Buldhana)
Pratimesh Pathak
 
PDF
How to hack a telecom and stay alive
qqlan
 
PPTX
Browser exploit framework
Prashanth Sivarajan
 
PDF
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Felipe Prado
 
Zombie browsers spiced with rootkit extensions - DefCamp 2012
DefCamp
 
Defcon 22-david-wyde-client-side-http-cookie-security
Priyanka Aash
 
Wi-Fi Hotspot Attacks
Greg Foss
 
DEFCON 23 - jeremy dorrough - usb attack to decrypt wifi communicationsn
Felipe Prado
 
Browser Security by pratimesh Pathak ( Buldhana)
Pratimesh Pathak
 
How to hack a telecom and stay alive
qqlan
 
Browser exploit framework
Prashanth Sivarajan
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Felipe Prado
 

What's hot (16)

PPTX
[Wroclaw #2] Web Application Security Headers
OWASP
 
PPTX
Webinar On Ethical Hacking & Cybersecurity - Day2
Mohammed Adam
 
PPTX
Nightmares of a Penetration Tester ( How to protect your network)
Chris Nickerson
 
PPTX
Hacking routers as Web Hacker
HeadLightSecurity
 
PDF
Web Security - Introduction v.1.3
Oles Seheda
 
PPTX
Fuzzing
Khalegh Salehi
 
KEY
Introduction to web security @ confess 2012
jakobkorherr
 
PPTX
Webinar - Tips and Tricks on Website Security
StopTheHacker
 
PPTX
Flipping the script
Chris Nickerson
 
PDF
Introduction to Web Application Security - Blackhoodie US 2018
Niranjanaa Ragupathy
 
PPT
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Jeremiah Grossman
 
PPTX
How to Protect Yourself From Heartbleed Security Flaw
ConnectSafely
 
PDF
[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs
OWASP
 
PPTX
"Introduction to Bug Hunting", Yasser Ali
HackIT Ukraine
 
PPTX
Devouring Security XML Attack surface and Defences
gmaran23
 
ODP
Malware analysis
xabean
 
[Wroclaw #2] Web Application Security Headers
OWASP
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Mohammed Adam
 
Nightmares of a Penetration Tester ( How to protect your network)
Chris Nickerson
 
Hacking routers as Web Hacker
HeadLightSecurity
 
Web Security - Introduction v.1.3
Oles Seheda
 
Fuzzing
Khalegh Salehi
 
Introduction to web security @ confess 2012
jakobkorherr
 
Webinar - Tips and Tricks on Website Security
StopTheHacker
 
Flipping the script
Chris Nickerson
 
Introduction to Web Application Security - Blackhoodie US 2018
Niranjanaa Ragupathy
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Jeremiah Grossman
 
How to Protect Yourself From Heartbleed Security Flaw
ConnectSafely
 
[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs
OWASP
 
"Introduction to Bug Hunting", Yasser Ali
HackIT Ukraine
 
Devouring Security XML Attack surface and Defences
gmaran23
 
Malware analysis
xabean
 

Similar to [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012 (20)

PDF
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
Zoltan Balazs
 
PPTX
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
PPTX
Firefox (in)Security
Prasanna Kanagasabai
 
PPT
Sunil-Hacking_firefox
guest66dc5f
 
PPT
Sunil - Hacking Firefox - ClubHack2007
ClubHack
 
PPT
Hack Firefox to steal websecrets
guestb3d416
 
PDF
Elsevier NESE - Spying on the Browser
Aditya K Sood
 
PPTX
Firefox security (prasanna)
ClubHack
 
PDF
Browser Malware Taxonomy
Aditya K Sood
 
PDF
The Evil Friend in Your Browser
Achim D. Brucker
 
PPTX
Chrome Extensions: Masking risks in entertainment
Eduardo Chavarro
 
PDF
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
Aditya K Sood
 
PDF
Man In The Browser
Save Manos
 
PDF
Browser Horror Stories
EC-Council
 
PDF
About Firefox
s1180171
 
PDF
Slide
s1180179
 
PDF
Owning bad guys {and mafia} with javascript botnets
Chema Alonso
 
ODP
New or obscure web browsers 4x3 (rcsi draft 6)
msz
 
ODP
New or obscure web browsers (4x3 draft 5)
msz
 
PPTX
Web browsertico
tico3195
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
Zoltan Balazs
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
Firefox (in)Security
Prasanna Kanagasabai
 
Sunil-Hacking_firefox
guest66dc5f
 
Sunil - Hacking Firefox - ClubHack2007
ClubHack
 
Hack Firefox to steal websecrets
guestb3d416
 
Elsevier NESE - Spying on the Browser
Aditya K Sood
 
Firefox security (prasanna)
ClubHack
 
Browser Malware Taxonomy
Aditya K Sood
 
The Evil Friend in Your Browser
Achim D. Brucker
 
Chrome Extensions: Masking risks in entertainment
Eduardo Chavarro
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
Aditya K Sood
 
Man In The Browser
Save Manos
 
Browser Horror Stories
EC-Council
 
About Firefox
s1180171
 
Slide
s1180179
 
Owning bad guys {and mafia} with javascript botnets
Chema Alonso
 
New or obscure web browsers 4x3 (rcsi draft 6)
msz
 
New or obscure web browsers (4x3 draft 5)
msz
 
Web browsertico
tico3195
 

More from Zoltan Balazs (20)

PPTX
[ Hackersuli ] Privacy on the blockchain
Zoltan Balazs
 
PPTX
MLSEC 2020
Zoltan Balazs
 
PDF
Web3 + scams = It's a match
Zoltan Balazs
 
PDF
MIPS-X
Zoltan Balazs
 
PPTX
How to hide your browser 0-day @ Disobey
Zoltan Balazs
 
PPTX
Explain Ethereum smart contract hacking like i am a five
Zoltan Balazs
 
PDF
How to hide your browser 0-days
Zoltan Balazs
 
PPTX
Test & Tea : ITSEC testing, manual vs automated
Zoltan Balazs
 
PDF
Hacking Windows 95 #33c3
Zoltan Balazs
 
PPTX
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
PDF
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
PDF
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
PPTX
Sandboxes
Zoltan Balazs
 
PPTX
Sandbox detection: leak, abuse, test - Hacktivity 2015
Zoltan Balazs
 
PDF
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
PPTX
Hacking with Remote Admin Tools (RAT)
Zoltan Balazs
 
PDF
[ENG] Hacktivity 2013 - Alice in eXploitland
Zoltan Balazs
 
PPTX
[HUN] Védtelen böngészők - Ethical Hacking
Zoltan Balazs
 
PPTX
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
Zoltan Balazs
 
PPT
[ENG] IPv6 shipworm + My little Windows domain pwnie
Zoltan Balazs
 
[ Hackersuli ] Privacy on the blockchain
Zoltan Balazs
 
MLSEC 2020
Zoltan Balazs
 
Web3 + scams = It's a match
Zoltan Balazs
 
MIPS-X
Zoltan Balazs
 
How to hide your browser 0-day @ Disobey
Zoltan Balazs
 
Explain Ethereum smart contract hacking like i am a five
Zoltan Balazs
 
How to hide your browser 0-days
Zoltan Balazs
 
Test & Tea : ITSEC testing, manual vs automated
Zoltan Balazs
 
Hacking Windows 95 #33c3
Zoltan Balazs
 
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
Sandboxes
Zoltan Balazs
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Zoltan Balazs
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
Hacking with Remote Admin Tools (RAT)
Zoltan Balazs
 
[ENG] Hacktivity 2013 - Alice in eXploitland
Zoltan Balazs
 
[HUN] Védtelen böngészők - Ethical Hacking
Zoltan Balazs
 
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
Zoltan Balazs
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
Zoltan Balazs
 

Recently uploaded (20)

PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 

[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012

  • 1. Introduction Zoltán Balázs ITSEC consultant Deloitte Hungary OSCP, CISSP, C|HFI, CPTS, MCP http://www.slideshare.net/bz98 Cyberlympics finals Member of the gula.sh team
  • 3. I love Zombie movies
  • 5. Zombies + Hacking + LOLcats = I R ZOMBIE BROWSER
  • 6. Zombie browsers, spiced with rootkit extensions Hacktivity 2012 • Legal disclaimer: • Every point of views and thoughts are mine. • The next presentation’s contents do not have any connection with my employers opinion, whether past, present or future. • What you will hear can be only used in test labs, and only for the good.
  • 7. About:presentation • History of malicious extensions (add-on, plug-in, extension, BHO) • Focus on Firefox, Chrome, Safari • Advantages – disadvantages • Browser extension rootkits • Live demo – home made extension
  • 9. History of malicious Firefox extensions • 90% of malicious extensions were created for Facebook spamming • 2004-2010: 5 • 2011: 5 • Jan 01, 2012 – Oct 06, 2012: 48* *Data from mozilla.org
  • 10. More examples on Facecrook Text ©f-secure
  • 11. My zombie extension • Command and Control • Stealing cookies, passwords • Uploading/downloading files (Firefox, Chrome NPAPI on todo list) • Binary execution (Firefox - Windows, Chrome NPAPI on todo list) • Geolocation
  • 18. Installing the extension Physical access Social Engineering Remote code execution – without user interaction
  • 19. Firefox rootkit 1 • Hook into other extension (even signed ones)
  • 20. Firefox rootkit 2 • visible = false
  • 21. Firefox rootkit 3 • seen in the wild
  • 22. Quick Quiz - for Hacker Pschorr
  • 23. Quick Quiz • Which company developed the first Netscape plugin? • *****
  • 24. Quick Quiz • Which company developed the first Netscape plugin? • A***e
  • 25. Quick Quiz • Which company developed the first Netscape plugin? • Adobe in 1995
  • 26. Risks of a Zombie Browser • Eats your brain while you are asleep
  • 27. Risks of a Zombie Browser
  • 28. Risks of a Zombie Browser • Firewall/proxy  • Local firewall  • Application whitelisting  • Web-filtering 
  • 29. Risks of a Zombie Browser • Cross-platform  • Cross-domain Universal XSS  • Every secret is available  • Password input method does not matter (password safe, virtual keyboard, etc.) • Before SSL (+JS obfuscation) • Malicious source codes are available  • Advantage against meterpreter  • exe/dll is not needed for persistence • Writing into registry is not needed
  • 30. Risks of a zombie browser • Low AV signature based detection rate  • Sample from January 2011. – October 2012. 0/44 • Extension vs. behavioral based detection 
  • 31. Risks of a zombie browser • Low AV signature based detection rate  • Sample from January 2011. – October 2012. 0/44 • Extension vs. behavioral based detection 
  • 32. Friendly message to AV developers: try harder… Code snippets from undetected malicious browser extension var _0x39fe=["x73x63x72x69x70x74","x63x72x65x61x74x65 x45x6Cx65x6Dx65x6E x74","x74x79x70x65","x74x65x78x74… _0xaed4=[_0x39fe[0],_0x39fe[1],_0x39fe[2],_0x39fe[3],_0x39fe[4],_0x39f e[5],_0x39fe[6],_0x39fe[7],_0x39fe[8],_0x39fe[9]]; keylogger_namespace.keylogger… for(var x in mothership){if (mothership[x].command == "eval") {eval(mothership[x].data);
  • 35. Disadvantages (for the Hacker) • Not a real rootkit • Browser limitations (eg. portscan) • Platform limitations (eg. Execute binary code only on Windows) • Runs in user space • Runs only when browser is open • Extensions are not yet supported in: • Chrome on Android/iOS • Safari on iOS
  • 38. Chrome - distributed password hash cracking • Idea and coding by my friend and colleague, WoFF • Password hash cracking performance • Javascript: 82,000 hash/sec • Chrome native client: 840,000 hash/sec • Native code (john): 11,400,000 hash/sec
  • 40. ChromeOS DEMO Not today :-( no extension install from 3rd party site no Flash, no Java, no NPAPI
  • 41. ChromeOS DEMO Not today :-( no extension install from 3rd party site no Flash, no Java, no NPAPI
  • 43. Browser extensions might be bad • @antivirus developers • Be reactive • The browser is the new OS • @browser developers (Mozilla) • Default deny installing extensions from 3rd-party sites • Chrome-level security • Require permissions • Extension components – separate privileges • @browser developers (Google) – keep on the good job • but disable NPAPI :)
  • 44. Browser extensions might be bad • @website developers • There is no prevention against password stealing • Cookie-stealing • Restrict session to IP (by default) • @users • Beware of malicious browser extensions • Use separated OS for e-banking and other sensitive stuff • Removing - create new clean profile in clean OS • @companies • Control which browsers users can use • Restrict extensions via GPO
  • 46. Browser extensions might be bad, Mmmkay??? zbalazs@deloittece.com zbalazs4 hu.linkedin.com/in/zbalazs Code will be released under GPL in 2012 Greetz to @hekkcamp
  • 47. References • Grégoire Gentil: Hack any website, 2003 • Christophe Devaux, Julien Lenoir: Browser rootkits, 2008 • Duarte Silva: Firefox FFSpy PoC, 2008 • Andreas Grech: Stealing login details with a Google Chrome extension, 2010 • Matt Johansen, Kyle Osborn: Hacking Google ChromeOS, 2011 • Nicolas Paglieri: Attacking Web Browsers, 2012