Dave Bittner (4:07)

Well, before we dig into some of the details here, for folks who might not be familiar with private APIs and what they enable, can you give us a quick explanation of what they are and how they work?

Nati Tal (4:18)

Yeah, let's do this with an example. In this case, there are many types of web applications or custom features that you get with your browser. One of those as an example is the Chrome Store. On any Chrome based browser, or even on Google's Chrome, you have a store in which you can see many types of themes or different kinds of new customization for your browser, like extensions, and with the click of a button, get those installed on your browser. So if you think about it, it's not a simple website that everybody can create and develop and offer this button to install an extension. This is something that is more permissive. And this is why, embedded inside the Chromium code, there are specific privileges or APIs, in this case that allow a click on a website to install an extension. And those are allowed to work only from code that runs on specific domains. In this case, the Chrome Store web app application. This is basically a web app API that gives the Chrome Store extra privileges to install an extension on your browser and basically do all other stuff like disable extensions and such. Those APIs are not public, not everybody can use them. Only those that have the permission to create a web app and deploy it to the domain where Chrome Store is running now. And this is also why they are called private APIs in this case.

Dave Bittner (6:03)

Well, these private APIs are supposed to have certain security functions that go with them, but you and your colleagues started exploring this and you found some pretty clever ways to get around this. Tell us what you did.

Nati Tal (6:17)

Yeah, well, as I said before, to execute code using those private APIs, you need to execute this code from the context of a privileged domain like the Chrome Store, or any other specific domain that is embedded in the code of your browser. So there are many standard ways to execute your own code from another domain or another context. The most common one that is being abused all around is xss, being able to inject your code or some kind of code into another's domain or website. This includes an exploitation of some kind of vulnerability in this code in this website, which is most of the time, hard to find. And there are many state of the art ways to just remove and mitigate this kind of vulnerability from websites today. So we thought about, okay, this is a way that might work. Again, you need to find a vulnerability in any specific web page. But we remember that again we are working with extension and we know extensions very well and all those kinds of capabilities that are embedded in this concept of extension. And we realized that there is one way to inject your own code using another extension. And after we tested it and tried it out, realized it's even easier than we thought. Basically all you need to do is use a built in feature of an extension which is called content scripting. An extension can actually inject code to any web page you want as long as you give it the permission to do so. And there are mitigations against using private APIs in this case, because when you execute code in content scripting, it is running on a different content, not the content you want, not the context of the web page, but. But it has the ability to dynamically change the content of the web page itself. It's like using something that is abusing a feature basically that is not there for this specific needs. So what we did was to inject the code into the actual page and basically create, dynamically create a script inside the original web page. And they're deploying our own code. So this way our code, which is a malicious code in this case, is being executed from the context of the permissive domain and all was done with simple like one liner in our malicious extension.

Dave Bittner (9:19)

Well, Nadi, you're not giving yourselves enough credit here because it wasn't just any extension that you all created here. Tell us about the extension itself.

Nati Tal (9:30)

Yeah, I'll start from the beginning. In this specific research we thought about again, there are POCs and we create those. And those basic POCs, they are not so interesting or clever in this case. We wanted to extend our research not only to the specific vulnerability we found, but also on the basic methods used today to exploit it and to show the people, the researchers and the community how easy it is also in other matters to deploy a malicious extension not only for this kind of vulnerability, but any other kind of malicious activity. So what we did was actually deploying a malicious extension titled Puppies, I think was the name. What it did was something like the benign feature of just creating or rendering cute puppies all over your screen. Something that is like cute and it doesn't seem malicious in any way.

Dave Bittner (10:47)

No. Sign me up. Sign me up. Nadia. Yes, exactly. Just to be clear, this is an extension that when you install it, when you go to whatever screen in your Opera browser, in addition to the content, you get a picture of a cute puppy. So what could be dangerous about that?

Nati Tal (11:04)

Yeah, you can even drag it and put it on a different place. I think.

Dave Bittner (11:14)

We'Ll be right back. Hey, everybody. Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try DeleteMe. I have to say, Delete Me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data Privacy is protected. DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private, private. By signing up for Delete Me now at a special discount for our listeners today, get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K. Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant.

Nati Tal (13:18)

What we wanted to demonstrate in this case was that even a benign extension like this, the cute puppy, and every other thing you see out there, like color pickers or stuff like that, utilities, basically, they all share the same permissions and power of the of extensions of this entire ecosystem. And those can be abused or even exploited in this case for other users, like exploiting a vulnerability in Opera. And not only that, the case with Opera was a bit different because Opera, they have their own store for extensions, and extensions on their store are being reviewed quite deeply and quite professionally because they're actually reviewing the source code of every extension they allow on their store. But this is also the reason why their store is smaller, much smaller than the one with Google's home. And when you search for something, for example, if you want a cute puppy on every website you browse to and you search for that on the Opera Store, you can't find it, but it suggests you, okay, if you can't find any, go to the Chrome Store. We allow you to download and install extensions from there. So, okay, we can't add this kind of malicious extension to the Opera Store because they will see our abuse right there in the code because they are more aware of their domains and kind of APIs they are using. But what if we just add it to the Quorum Store? They have no idea what kind of domains are more permissive for Opera or something like that. And again, those are cute puppies. Why not allow those to be uploaded to the store? So then we realized that it's exactly what we see out in the wild on a daily basis here at Guardio. Different extensions, utilities and ad blockers, even that look all the same with different variants in description, in the icon and stuff like that. But underneath there are all malicious extensions that do creepy stuff like search hijacking and taking your cookies and hijacking your accounts, and they all have this narrative of utility you need or want. So we realized that if those extensions go there, we really need to understand how easy it is or why it is so easy to use this kind of method and deploy malicious extensions. So we tried it ourselves and we just created a simple landing page for this puppies extension with privacy notice and terms of use and everything that is needed to create this kind of extension and get it approved in the Chrome Store. It took us around, I think, 20 minutes overall, using AI to create the description and images and icons and everything and even part of the code just to make it more reliable as a puppy extension. And after we uploaded it like 24 hours later on, we got it approved and it was online on Chrome Store. So not only that, we discovered a vulnerability and an exploitation method that we of course disclosed to Opera and got it fixed before we published it, of course, but also managed to display or to alert all the community about how easy it is to deploy those kinds of malicious extensions and create the entire flow, the entire chain of exploitation from creating this code, getting it uploaded to a reputable place like the Chrome Store, and from there quite quickly abusing it in the wild. You can use many kinds of malvertising techniques to just propagate this kind of extension, get it on popups and stuff like that, and buy users and eventually have full control on All Opera browsers in this case.

Dave Bittner (18:08)

Well, you mentioned that you did reach out to the Opera team and they were quite responsive to your research.

Nati Tal (18:15)

Yeah, yeah. Actually it's not our first time disclosing an issue to Opera, so we are already quite familiar with their engineering team and we have close relationship and we talk like on a daily basis doing this type of research and our analysis and stuff like that. Our initial disclosure to them was something that we called my flow. It's quite similar because in this case they had their own feature where you can just drag and drop files from your Opera browser on your Android device to your computer to your desktop and so forth. And one of the APIs there was to download the file and execute it on your system. And using XSS in this case, we managed to just with zero click get your browser to download the file executable and execute it out of the Chrome out of the browser context entirely on your os. And of course again, all those kind of disclosures are full disclosures. We talk to them and get this POC sent to them. So we also discussed with the Opera engineering about how they're going to mitigate this kind of vulnerability. And one thing that we suggested was just to remove the capability of executing extensions or content scripting on those kinds of permissive domains, which is basically what we saw that Google and Chrome are doing on the Chrome store itself. So first thing to do is just disable content scripting on those domains. And this is exactly what they did. It took them like a few days to code this kind of fix, get it deployed and tested and it was deployed to all users in a matter of two weeks, even less. And of course we gave time for the propagation so all user will be safe. And only then we published our research.

Dave Bittner (20:29)

Well, it's definitely interesting research but also fun I have to say. If you if you're into puppy puns, you will enjoy reading through the research.

Nati Tal (20:40)

It's a good read. Just had to like it was all over there. I just had to no.

Dave Bittner (20:46)

Why not? Why not? Why? Research doesn't have to be dry. It's good to make it fun and good to read. Our thanks to Nati Tal, head of Guardiolabs for joining us. The research is titled Cross Exploiting a Zero Day Opera Vulnerability with a Cross Browser Extension Store Attack. We'll have a link in the show notes and that's Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next.