Recent research has unveiled a significant security vulnerability in Chromium-based browsers such as Google Chrome, Microsoft Edge, and Brave. This flaw allows attackers to load arbitrary extensions without user consent, posing substantial risks to user privacy and system integrity.
Understanding the Vulnerability
Chromium browsers manage installed extensions through JSON preference files located in directories like `%AppData%\Google\User Data\Default\Preferences` for domain-joined machines or `Secure Preferences` for standalone systems. By manipulating these files, attackers can force the browser to load any extension, bypassing the Chrome Web Store and user approval.
Technical Prerequisites for Exploitation
To successfully exploit this vulnerability, attackers must:
1. Pre-calculate the Extension ID: Extension IDs are derived from the extension’s public key or installation path using a SHA-256 hash, truncated to 32 hexadecimal characters, and mapped to a custom alphabet (a–p).
2. Generate Valid Message Authentication Codes (MACs): Chromium employs HMACs, seeded with a static value from `resources.pak` (specifically resource file 146), to sign critical JSON keys. Attackers can reverse-engineer this algorithm to compute valid MACs for `extensions.settings.
3. Bypass Enterprise Policy Controls: In enterprise environments, Group Policy Objects (GPOs) are often used to whitelist or blacklist extensions through policies like `ExtensionInstallAllowlist` and `ExtensionInstallBlocklist`. Attackers can circumvent these controls by:
– Reusing RSA Public Keys: By using the RSA public key of a trusted corporate-approved extension (e.g., Adobe Acrobat Reader for Chrome), attackers can generate a matching extension ID and inject a malicious unpacked extension under that ID, bypassing hash-based allowlists.
– Extension ID Collision: If an unpacked extension and a store-installed extension share the same ID, Chromium prioritizes the unpacked version, allowing attackers to stealthily override trusted plugins.
– Modifying Registry Policies: Windows applies policies in LSDOU order. A local administrator can delete or modify registry entries under `HKCU\Software\Policies\Google\Chrome`, removing allowlists or blocklists to sidestep policy enforcement entirely.
Potential Impacts
Exploiting this vulnerability enables threat actors to:
– Intercept Network Traffic: Monitor and manipulate data transmitted between the user and the internet.
– Scrape Session Cookies: Access and potentially hijack user sessions on various websites.
– Execute Background Service Workers: Run malicious scripts in the background without user awareness.
– Inject Content Scripts: Modify the content of web pages to display fraudulent information or capture user inputs.
A proof-of-concept toolkit developed by Synacktiv demonstrates remote deployment via SMB alongside a custom command-and-control (C2) server, enabling JavaScript execution within the browser process and undermining protections such as App-Bound Encryption.
Mitigation Strategies
To defend against this attack vector, it is crucial to:
– Monitor Preference Files: Regularly check for unauthorized changes to JSON preference files.
– Validate Registry Policies: Ensure the integrity of registry policy settings to prevent unauthorized modifications.
– Detect Anomalous Extension Registrations: Implement mechanisms to identify and block unauthorized extension installations.
Without these detection mechanisms, phantom extensions can provide a stealthy and persistent route for data exfiltration and lateral movement within enterprise networks.
