CursedChrome reminds us why extensions can be vicious too

Edward G. | May 7, 2020

The digital space has always been a fertile ground for new threats, data breaches, and hacking incidents. Security researchers deserve appreciation for responding to such situations round-the-clock. However, another part of their job is the prevention of cyber attacks. One such recent attempt proves the fact that no software is too small to be malicious. In this case, browser extensions are the ones described as potentially dangerous, even capable of turning Chrome browsers into proxy bots.

The new threat on the map called CursedChrome

Last week, a proof-of-concept Chrome extension called CursedChrome appeared on GitHub as an open-source project. The premise here is that the extension can act as an intrusive application, granting access to the infected browsers.

As a result, hackers can hijack users’ logged-in sessions and, ultimately, take advantage of users’ digital data. This invasion includes access to private details, networks, intranets, and other restricted areas. The consequences of such attacks can be highly devastating, especially for employees accessing enterprise apps. A browser extension can lead hackers straight to classified information of companies.

A security researcher named Matthew Bryant worked on and released the CursedChrome tool. He explained that this project encourages experts to run simulations and, in turn, serves the purpose of educating companies and individuals about the capabilities of browser extensions.

The CursedChrome consists of two main components: a client-side and server-side that communicate through a WebSocket connection, functioning as a typical HTTP reverse proxy. In short, the client-side is the browser extension. The server-side functions as a control panel and is responsible for collecting information from the infected browsers. According to the simulations, once users install the CursedChrome extension on several browsers, crooks can connect to the control panel and gain access to the host. From that point, the hackers could act on a whim to jeopardize users’ and companies’ privacy.

Is it ethical to release such findings as open-source?

As expected, the cybersecurity advocates are skeptical that the release of CursedChrome is beneficial. They state that by releasing the code as open-source, researchers serve as assistants to hackers, fueling them with new ideas and actual resources for attacks. Therefore, what prevents hackers from feeling inspired and releasing their versions of CursedChrome?

According to Matthew Bryant, the intention behind this study is to educate the public about the often disregarded threat of malicious browser extensions. Companies often lack resources to build and implement their tests. The CursedChrome might help them conduct simulations and further such attacks.

Additionally, while Bryant’s project might seem ground-breaking, the threat of similar extensions has existed for years. In fact, tools like Cobalt Strike’s “browser pivot” (for Internet Explorer) might also contribute to the creation of malicious extensions. Therefore, while experts might call the release of CursedChrome a reckless decision, the technology for such attacks has been around for years.

Another pivotal question is whether hackers can take the open-source code and use it for their attacks. Turning CursedChrome into a functional malicious extension requires several things. Crooks need to host the dangerous version on the Chrome Web Store, transmit it through an enterprise policy or via Chrome’s developer mode. Both scenarios are unlikely as the first would mean bypassing strict detection policies of web stores. For the second scenario to be realistic, the hackers would require access to a company’s network. If they already have access, they would no longer need the extension.

Why is this research relevant?

The rising number of threats in the digital space encourages companies to opt for various security-boosting options. Some businesses prefer using a VPN to protect their networks and resources from unauthorized access. Additionally, the Zero Trust model is one of the popular approaches that automatically label all devices and users as untrustworthy.

Considering this potential shift to the Zero Trust approach, hackers might try to get their hands on users’ web sessions through different attacks. Therefore, the CursedChrome tool exposes how vulnerable people are. Even a seemingly irrelevant browser extension could expose victims’ data and have devastating consequences on businesses.

Luckily, there is a solution

Some researchers might expose the problem, but lack resources or ideas to actually solve it. Together with CursedChrome, Bryant released another project on GitHub. The solution called Chrome Galvanizer is a web-based application that can help companies prevent browser extensions from accessing specific websites. Therefore, even if an employee accidentally downloads a malicious tool, hackers won’t be able to visit the restricted sites.

What lessons can we learn from this research? For one, we should avoid installing unknown software, even if it is a simple browser extension. While hackers can design stealthy attacks, most of them still require user interaction to work. Additionally, you can install antivirus software and run regular scans to detect malicious programs. To protect your browsing activities, it is also a good idea to install a VPN. Instead of having your IP addresses and browsing habits logged to unknown systems, VPN guarantees anonymity and protection, necessary for all netizens.

Edward G.

Edward G.

Cybersecurity Researcher and Publisher at Atlas VPN. My mission is to scan the ever-evolving cybercrime landscape to inform the public about the latest threats.



© 2022 Atlas VPN. All rights reserved.