Jump to content

Chrome Extensions Can Be Disabled Without User Interaction


Batu69

Recommended Posts

Using JavaScript, attackers can disable Chrome extensions automatically, without the user doing anything prior

Mathias Karlsson, Web security expert at Detectify Labs, has uncovered an issue with the Google Chrome browser that allows attackers to disable extensions without any user interaction.

This can be a very dangerous issue since some extensions can be used to bolster the browser's security, like, for example, the HTTPS Everywhere extension, used in Mr. Karlsson's proof of concept.

The attack is leveraged using the Chrome extension URI, a special URL scheme employed by the Chrome browser that looks like: chrome-extension://gcbommkclmclpchllfjekcdonpmejbdp/

Accessing this URL corrupts the (HTTPS Everywhere) extension, shutting it down.

Because of this, a long time ago, the Chrome team made it impossible for the browser to even load this URI scheme inside a link, image, or any other page element.

This move has prevented attackers from using this method for tricking users into disabling their (security) extensions, unaware of what they were really doing.

Chrome extensions URIs can still be accessed via PING requests

To Mr. Karlsson's credit, he has found a go-around for this safeguard, and that's by using the "ping" attribute inside a regular link. The code looks like this:

Adding this to your links will automatically disable the extension with the "gcbommkclmclpchllfjekcdonpmejbdp" ID when the user clicks that link. Of course, you can use any IDs you'd like in order to disable the extensions you want.

Additionally, Mr. Karlsson has also experimented with the notion of triggering user clicks automatically using JavaScript, which gets executed on page load.

This means that an attacker can easily disable a list of Google Chrome security extensions when users access their site, allowing them to carry on their attacks unhindered, without the user being aware, or having to do anything.

The bug was reported to the Chrome team, which has already fixed this issue in their most recent Beta release.

Source

Link to comment
Share on other sites


  • Views 808
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...