Posted on May 4, 2020 at 11:42 AM
There was a publication last week by a security researcher, which shows a proof-of-concept Chrome extension is using Chrome browsers as proxy bots. The proxy bots allow hackers to browse the web using a compromised user’s system.
The software, known as CursedChrome, was developed by security researcher Mathew Bryant and registered as an open-source project on GitHub.
CursedChrome comes in two variants – the server-side component and the client-side variant. The server-side is the main control panel for CursedChrome bots while the client-side is Chrome’s extension.
Attackers may infiltrate systems using the software
After the installation of the extension on some browsers, the attacker would be able to log into the control panel of the CursedChrome and connect to the affected hosts. A simple Websocket connects both the control panel and the extension, which works like a typical HTTP reverse proxy.
As a result, after a successful connection to the compromised system, the attacker will be able to browse the web with a compromised browser. As a result, they can steal online identities and login sessions to gain access to restricted areas, such as enterprise apps or intranets.
The cybersecurity has frowned at the release of CursedChrome, as many believe it has made it easier for hackers to infiltrate systems. May claim it could give attackers the avenue to create their own malicious CursedChrome in the future.
CursedChrome was designed as a pen-tester’s system
In response to the complaints and reservations the cybersecurity community has about CursedChrome, Bryant has explained that it was not his intention to make it easier for hackers to design theirs in the future.
He said he decided to keep the code for open-source access because he wanted pen-testers and professional red teamers to know how to properly determine the “malicious browser-extension scenario”.
Bryan is referring to cyber-security experts who are employed by companies to break into their servers to find out any security loopholes from the company.
He said the works of these groups of hackers are very important for the organization that pays them because they can discover any vulnerability and correct them before the darknet hacker does.
“Open-sourcing tooling is important for red teams for the same reasons as any other job,” Bryant said.
He also said it will help the teams from various organizations save time from rewriting everything each time they do a pen-test or red team. The importance cannot be underestimated because red teamers and pen-testers do their job on extremely tight timelines.
CursedChrome works on already existing technology
Bryant also stated that CursedChrome is not so unique that attackers could not afford to build it themselves. He said even if he had not created it, hackers who want to build it for the sake of attacking systems can achieve that too.
According to him, CursedChrome works on existing technology and there is nothing new used in the technology that hackers have not seen.
Similar tools like open-source BeEF protocol and “Browser’s pivot”, which have the same technology as CursedChrome have been existing for a long time.
Also, there are free technical details available in open-source on how to carry out the attack.
Attackers will find it difficult to arm the software
Also, Bryan said he’s not worried about whether hackers might use the code for dubious reasons. He said doing so would require the attacker to either install CursedChrome through Chrome’s developer mode or an enterprise policy. They could also weaponize it by hosting the extension on the Chrome Webstore.
He said the options the attackers have are nearly impossible ones since both scenarios require more authentication from the company’s network.
Bryan said he was inspired to develop CursedChrome because he wants to raise awareness on malicious Chrome extension and the havoc they can cause to enterprise organizations.
These days, browser extensions are more vital as organizations make use of more web-based tools. If an employee did not follow the employee’s security rules and installs dangerous extensions, they can open loopholes for attackers to launch their malicious tools in their systems. It will allow hackers to bypass VPN filters or firewalls.
But it’s vital to make more employees aware of the level of access they are granting others when they install random extensions on their browsers.
An extension such as CursedChrome can show organizations how exposed they are if they fail to control the type of extensions their employees install in their systems, he concluded.