Wednesday, October 24, 2012

Security & Hacking: Hacker Halted "Malicious Browser Extensions"

See http://www.prweb.com/releases/browserextensions/ZoltanBalazs/prweb9802144.htm and http://www.computerworld.com/s/article/9232848/Researcher_to_demonstrate_feature_rich_malware_that_works_as_a_browser_extension
for full story.

Short version, based on my understanding, is that this is a presentation by Zoltan Balazs, with Proof of Concept of an extension that the user has to be tricked into installing with Firefox (ie Social Engineering).

On the other hand, with Chrome it would need to get on official Chrome Store, so much higher barrier for success on Chrome.

If user makes the mistake of installing this malware on their browser, then they are pretty much pwned.

Defeats security of at least some types of Two Factor Authentication, they specifically mention Google's.

Two things stood out to me, quoted below from the Computerworld aricle:
"Chrome's support for Native Client (NaCl), a sandboxing technology that allows Web applications to run C or C++ code inside the browser, can be leveraged by the Chrome extension to efficiently crack password hashes."

"The Safari version was easy to create because Chrome extensions can be easily converted to Safari extensions, Balazs said."

Related links:

No comments:

Post a Comment