Detecting High Risk Chrome Extensions with OSQuery
After reading articles about several malicious chrome extensions that had snuck into the webstore, we undertook a project to determine which Chrome extensions our employees had installed, and to track which ones had been added by employees directly. We approached this using osquery, which we use for malware detection, configuration management, and monitoring. Our concern was not only about the potential for malicious extensions that had snuck into the Chrome webstore, but also the potential for Chrome extensions that had a much greater scope than the extension needs to fulfill its advertised purpose.
This second category of Chrome extensions, the ones with more permissions than they otherwise need, can and sometimes do use these extra permissions to log and sell user data for profit, even without being actively malicious. Knowing that any amount of company or employee data could potentially be leaving our environment without our knowledge was enough to spur us into researching the potential threat.
As of now, there is very little oversight by Google or any other third party regarding Chrome extensions, their security, origin, or their privileges. However, Google will be implementing new privacy requirements that could help change the landscape of these threats. Developers will only be allowed to request access to the data that they need to implement their features, and requiring more extensions to post privacy policies. However, requiring less aggressive permissions and more privacy policies are not a guarantee that all malicious extensions will be caught, or that extensions with access to user data for one purpose will not collect that data and sell it as a second income stream.
With that in mind, we turned to OSQuery to audit what chrome extensions our users had in the high-risk category, so that we could look into each high-risk application and either white list it, or alert on it.
We used the following query to check for High Risk Scopes:
SELECT *
FROM chrome_extensions
WHERE chrome_extensions.uid IN (SELECT uid FROM users)
AND (permissions LIKE (‘%clipboardWrite%’)
OR permissions LIKE (‘%<all_urls>%’)
OR permissions LIKE (‘%tabs%’)
OR permissions LIKE (‘%cookies%’)
OR permissions like (‘%://*/%’))The first challenge when putting together this query was that there is very little documentation on what each permission means. The documentation is hard to find, and unclear. The following scopes were identified as high risk:
clipboardWrite: this allows access to modify all data copied or pasted into the clipboard. This permission is an easier to exploit version of clipoardRead.
<all_urls>: all_urls allows all websites and file:// URLs access to read and modify all data on any site you visit, effectively behaving as a man in the middle.
Tabs: this permission allows each extension to establish a list of sites that have been visited. The extension can see the full URL for each site, including s3 links and document links.
Cookies: Allows extensions access to all cookies, including those that may contain access tokens
://*/*: This works effectively the same as <all_urls>
Once we had this query set up, we ran it against the company laptops and were blown away by what we found. We found over 80 unique add-ins in the high-risk category. Around half of the total add-ins we found had these high-risk scopes, and not all of them were from reputable companies. When we looked at each add-in’s Chrome Store page using the unique ID of the extension, we found extensions that did not exist, extensions whose author’s pages directed back to google.com, and extensions who’s first result in Google was an article about that extension selling user data.
You can look up the Chrome webstore link for each application by using the unique ID field in OSQuery, and pasting it into https://chrome.google.com/webstore/detail/<id> . For example, UBlock Origin has a unique ID of cjpalhdlnbpafiamejdnhcphjbkeiagm, so its chrome webstore link would be: https://chrome.google.com/webstore/detail/cjpalhdlnbpafiamejdnhcphjbkeiagm
We went through each application, adding them to a whitelist one by one, while removing as many as possible. Many of our users had no knowledge of installing or ever using the extensions on the list. Overall, we found more high risk chrome extensions than we thought we would, more unknown extensions than we thought we would, and had more trouble tracking down the companies associated with each extension than we thought we would at the beginning of the project.
With this query set to run at least once a day, we now are alerted when our users add new high-risk extensions, and can begin the process of whitelisting them again.
