We’ve often warned about the risks of browser extensions – not just for Chrome, but for any browser out there.
This is because browser extensions are not subject to the same strict controls as the content of the web pages you download, otherwise they will not. ExtensionsA
They will be basically locally cached web pages.
An ad-blocker or a password manager that was locked down so it wouldn’t be too much use to work on just one website; A tab manager that can only handle one tab or site at a time would not be very helpful; And so on
Web pages are not supposed to be able to override any controls imposed by the browser, so they cannot change the address bar to display a fake server name, or bypass it. Are you sure? The dialog that verifies that you really want to download that Word document to your hard disk.
Browser extensions, on the other hand, are thought to be able to extend and modify the browser’s own behavior.
Among other things, browser extensions can:
- Peek What will be shown in each tab after decrypting it.
- Change What finally appears.
- See and tweak Everything you type or upload before it is sent.
- Read and write File on your local hard disk.
- Launch or MonitoAnd other programs.
- Access hardware Such as webcams and microphones.
Screencastify An example of a browser extension that provides a popular feature that is not possible with just one website, such as capturing some or all of your screen so you can share it with other users.
The extension makes 10,000,000+ users proud (apparently, no higher category, no matter how many users you visit), and invites you Custom description, from:
Security researcher Vladimir Palant, himself an extension developer, made the decision See ScreencastifyGiven its popularity.
Earlier this week, he said Published What he found.
Among other things, his report is a well-written reminder of how difficult it can be to find out who you trust on the web when you decide to use an app or service from Company X.
Sapi chain risk has been reconsidered
Just like source-code supply chain risk, where you install software from A, which is licensed from B, updated from C, pulls additional modules from D (probably repeated intermittently at many interconnected stages) …
The risk of web-based services may come from the underlying representation of the trust of many other vendors or providers who are involved in the service delivery process.
Plant ScreencastFy’s Chrome Manifest File, started by viewing a JSON data file Comes with every extension To specify important information such as name, version number, security policy, update URL, and necessary permissions.
One of the entries in a Chrome manifest is called a list externally_connectableThis means that any extensions, apps and websites are allowed to interact with your extensions.
Normally, other extensions and apps already installed on your system can do this by default, but for obvious security reasons, external websites cannot.
This means that you can’t navigate a website innocently, just to look around once, only the server you’re visiting is unexpectedly trying to take control of the extension.
But Screencastify offers all sorts of additional cloud-based functionality from its own website, so it obviously includes itself in its list. externally_connectable Formula
When the plant first appeared, the list of connection beliefs was as follows:
{
. . .
"externally_connectable": {
"matches": [
"https://*.screencastify.com/*"
]
},
. . .
}
Given the special character * Meaning “matches anything here”, the above specification states that any URL of any website under it screencastify.com The Screencastify extension allows domains to automatically interact remotely with your browser …
Do not forget that you have access to your webcam to provide a popular aspect of its services.
The plant quickly requests that these externally_connectable Websites are tagged you can send to your browser bg:getSignInToken, And this request returned a Google access token for your Google Drive files. (In our tests, Screencastify won’t work unless you have a Google Account and you’re logged in.)
Interestingly, according to Palant, the reason that Screencastify works with full access to Google Drive (extensions, in fact, can only request access to a directory of their own) is that without full access, an extension cannot display a list of its own files. So, to keep a stash of uploaded files that you can browse later, it looks like an extension needs to go for full access, create its own directory and then display its own files from there.
Additionally, as you might expect, ScreenCastify adds screen capture with webcam streaming, externally_connectable Websites may request access to Chrome desktopCapture API (which can be read in pixel content from anywhere on the screen), tabCapture API (which can extract content from inside the browser), and WebRTC API (short for) Web real-time communicationWith webcam access).
Requests to capture your desktop or browser tabs are less controversial than listening, as they always create a clear popup dialog asking for permission.
Apparently, Chrome asks every single time – if you turn on screen capture more than once in a single session, there is no predictable permission.
But you only need to request a webcam permission once, which is Screencastify when you set up, then it can be claimed without appearing any more popups.
Palant also found that Screencastify’s default video recording settings, once some kind of capture is enabled, include uploading videos to your Google Drive files.
And, as we mentioned above, no website externally_connectable Listing can earn an access token for your Google Drive and download videos later, even if it doesn’t start capturing an unwanted webcam in secret.
What’s in it?
At the moment, you might be thinking, “What’s in it? I’ve already decided to trust Screencastify’s code and website, so it’s not a surprise. I’m already hoping to capture and save the Screencast video, so they’ll have it anyway.”
This is the setting https://*.screencastify.com/* (See above) became significant.
Palant discovered during his research that at least six Screencastify subdomains were operated by third parties:
- Webflow Conducted
www.screencastify.comSubdomain, - Instructive Conducted
course.screencastify.com, - Atlasian Manages subdomains
status.screencastify.com, - Netlife Conducted
quote.screencastify.com, - Market Conducted
go.screencastify.comAnd - Gendesk Conducted
learn.screencastify.com.
In other words, you need to trust not only Screencastify’s extensions and its own servers with “silent” access to your webcam and your Google Drive, but at least all of the above providers.
More specifically, you had to believe that there were no bugs like that Cross-site scripting (XSS) Any one of these subdomains has an error.
An XSS bug means you can do such a strategy on a site example.com Creating and serving a web page This includes crude, hazardous content of your own choiceSuch a search result that includes a raw snippet of JavaScript code instead of a simple text string.
If you asked me to search my website Luap NilkcudAnd I return an HTML page that contains, say, <bold>Luap Nilkcud</bold> not found, try again, This is mostly not harmful, because the generated HTML means “to print the given text in bold and the rest in a plain font”. But if you search, say, <script>alert("Oops")</script>, And I specifically reflect that text, including the magic angle brackets, that your browser will interpret and execute the code inside the script tag. (These angle brackets should have been stripped off, or converted into special codes < And > Respectively). The “Unscaped” script code will run with the same security force as the code stored on my own site, so you’ll be able to effectively inject JavaScript into my site’s server-up HTML without hacking my server.
Finally, Plant found an XSS bug in one of the Screencastify features, which he reported in February.
To his credit, Screencastify acknowledged the bug the same day and fixed it the next day.
Lots of moving parts
Yet this investigation is a good reminder that when you decide to go from seller V to product P or service S you may have more running parts and more risk exposure than you initially thought.
Interestingly, since the Palant report came out, Screencastify has decided to limit that over-the-top trust list. externally_connectable Specification, which has now been reduced to an explicit set of subdomains:
{
. . .
"externally_connectable": {
"matches": [
"https://captions.screencastify.com/*",
"https://edit.screencastify.com/*",
"https://questions.screencastify.com/*",
"https://watch.screencastify.com/*",
"https://www.screencastify.com/*"
]
},
. . .
}
The www.screencastify.com The subdomain, managed by a third party, still exists, but the explicit list makes it easier for SecOps (security operations) researchers to measure the overall risk of this extension if they are so prone.
Minimum privilege policy
It’s a great reminder of value Need to knowOr Very little opportunity The policy states that you shouldn’t give anyone access to resources they don’t need, no matter how much you trust them, because you are less likely to be mistaken if you do not specify your security settings.
The need to know protects loyal users from making innocent mistakes that can be costly for both you and them.
For example, sometimes you need to log in with root or admin powers …
But you don’t need a route to read your email or browse the web, so you should set up an account so that you can only accept those superpowers when you need them and leave them when you don’t.
Less, in cyber security, often more.
