Skip to content

Chrome (browser) Extension might hack your bank

by trên 24 Tháng Sáu, 2017

Chrome and Extension

  • Chrome is the gateway to interact with the Internet worlds.
  • People trust their browser, Extended Validation SSL, bank’s website, Windows, Mac, ISP… but the third party extension could to many dangerous without any notice to user.
  • Hacker could control everything behave of user just using an extension.

Ultimate permission of Extension.

  • Look at this permission, is it dangerous?Screen Shot 2017-06-24 at 10.19.40 PM
  • Extension could see what user’s seeing, know what user entering… And create a completely fake webpage with this permission.  It’s called Javascript Injection attack.

Demonstration

  • An online banking service with SMS OTP verification for online money transfer.
  • Simple POC using javascript and inject via an Chrome’s extension.

Screen Shot 2017-06-24 at 10.12.41 PM.png

  • Fake fields are inserted into the HTML, real input with hacker’s account number fields are hidden.
  • SMS OTP is by-passed because of no destination account in the SMS content.

Screenshot_2017-06-24-21-56-32-121_com.android.mms

  • The OTP was used for another transaction.

Recommendation?

Users:

  • If you don’t know anything. Don’t install any plugin/extension or software that install a extension.
  • If you are advance user, using web browser incognito mode or anther browser with no plugin enabled for bank transaction. We can trust no-one in the Chrome Extension Web Store.

Bank:

  • Add destination account to the OTP.
  • OTP token hardware with transaction signing

A05_NewPin_EN

Google Chrome:

  • More secure permission system.
  • Ask permission to edit HTML content for each website.

 

 

 

 

 

Advertisements
Gửi bình luận

Trả lời

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập:

WordPress.com Logo

Bạn đang bình luận bằng tài khoản WordPress.com Đăng xuất / Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Đăng xuất / Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Đăng xuất / Thay đổi )

Google+ photo

Bạn đang bình luận bằng tài khoản Google+ Đăng xuất / Thay đổi )

Connecting to %s