PostMessage Security in Chrome Extensions

Slide 1

Slide 1 text

PostMessage Security in Chrome Extensions Arseny Reutov [email protected] https://raz0r.name OWASP London Chapter

Slide 2

Slide 2 text

$ whoami • Web application security researcher at Positive Technologies • Member of Positive Hack Days (https://phdays.com) conference board • Occasional web security blogger (https://raz0r.name)

Slide 3

Slide 3 text

Agenda • Chrome extensions & their messaging • PostMessage security considerations • Mounting extensions analysis • The results! • The takeaways

Slide 4

Slide 4 text

CHROME EXTENSIONS & THEIR MESSAGING Part I

Slide 5

Slide 5 text

Chrome extensions ecosystem • Chrome Web Store is notoriously known in terms of security (unintuitive permissions dialogs, malware & insecure extensions)

Slide 6

Slide 6 text

Chrome extensions messaging

Slide 7

Slide 7 text

Extension manifest file { "name": “My Extension", "description": “My Super Chrome Extension", "version": “1.0", "background": { "scripts": [“js/background.js"] }, "content_scripts": [ { "matches": [""], "js": ["js/jquery.js", "js/content.js"] } ], "permissions": ["tabs", "http://*/*", "https://*/*"] }

Slide 8

Slide 8 text

POSTMESSAGE SECURITY CONSIDERATIONS Part II

Slide 9

Slide 9 text

PostMessage API window.postMessage() method enables cross- origin communication someWindow.postMessage( "my message", // message data "*", // target origin );

Slide 10

Slide 10 text

PostMessage API Developer is in charge of origin validation window.addEventListener("message", receiveMessage, false); function receiveMessage(event) { if (event.origin !== "http://example.org") return; // checking origin host if (event.source !== window) return; // or origin window process(event.data); }

Slide 11

Slide 11 text

PostMessage API • If origin validation is absent or is flawed, an attacker’s message data can reach dangerous pieces of code. • See “The pitfalls of postMessage” by Mathias Karlsson for common origin validation bypasses.

Slide 12

Slide 12 text

PostMessage API • Unlike other DOM events, message propagation to listeners cannot be stopped via return false or stopPropagation(). • Extensions’ message listeners are not listed in Chrome Developer Tools.

Slide 13

Slide 13 text

PostMessage Attack Vectors Method 1: iframes var iframe = document.createElement("iframe"); iframe.src = "http://target.com"; iframe.contentWindow.postMessage("some message", "*"); Pros: stealthy Cons: killed by X-Frame-Options and framebusters

Slide 14

Slide 14 text

PostMessage Attack Vectors Method 2: opening a new window var targetWindow = window.open("http://target.com"); targetWindow.onload = function() { targetWindow.postMessage("some message", "*"); } Pros: not affected by X-Frame-Options Cons: more noisy

Slide 15

Slide 15 text

PostMessage in Chrome extensions • Chrome extensions use postMessage API to receive messages from external web sites (e.g. translator services) or within the same origin (especially in developer tools extensions) • postMessage data can be passed into background script context, and in some cases even reach OS via Native Messaging API

Slide 16

Slide 16 text

MOUNTING EXTENSIONS ANALYSIS Part III

Slide 17

Slide 17 text

The Research Steps • Download extensions (Web Development category only)

Slide 18

Slide 18 text

The Research Steps • Parse CRX files (https://github.com/vladignatyev/crx- extractor) • Convert to ZIP • Unpack

Slide 19

Slide 19 text

The Research Steps • Parse Manifest file, find content scripts • Parse each content script with Acorn JS parser (https://github.com/ternjs/acorn) • Look for postMessage listeners with an Acorn plugin

Slide 20

Slide 20 text

The Research Steps • Log each postMessage listener found into local elasticsearch

Slide 21

Slide 21 text

THE RESULTS Part IV

Slide 22

Slide 22 text

React Dev Tools • Have got postMessage protection just recently by an external PR:

Slide 23

Slide 23 text

React Dev Tools • Prior to the fix message was validated by just checking a special property (which is user controlled):

Slide 24

Slide 24 text

Ember Inspector • No origin validation, but, luckily, data does not reach sensitive parts.

Slide 25

Slide 25 text

AngularJS Batarang (Angular v1.x) • Developers have no clue how to validate origin

Slide 26

Slide 26 text

Augury (Angular v2.x) • Again, origin validation is just checking a magic string

Slide 27

Slide 27 text

Augury (Angular v2.x) • Augury employs interesting message serialization:

Slide 28

Slide 28 text

Augury (Angular v2.x) • XSS on any website with the extension installed

Slide 29

Slide 29 text

Augury (Angular v2.x)

Slide 30

Slide 30 text

LanSweeper Shell Execute

Slide 31

Slide 31 text

LanSweeper Shell Execute

Slide 32

Slide 32 text

LanSweeper Shell Execute

Slide 33

Slide 33 text

THE TAKEAWAYS Part V

Slide 34

Slide 34 text

The takeaways • For users: – do not install shady extensions from unknown publishers – check requested permissions

Slide 35

Slide 35 text

The takeaways • For developers: – pay attention to origin validation in message listeners – consider origin bypass tricks – do not rely on magic strings

Slide 36

Slide 36 text

The takeaways • For browsers: – should provide built-in origin validation – see getMessage proposal by @homakov

Slide 37

Slide 37 text

Thank you!