I looked into the Live HTTP Headers Chrome Extension more. This is not the one for Firefox. This is not the one for Firefox.
11/7 note
- Through a similar or same method, because there was tons of obfuscated scripts buried into the extension, I've reported this to Google.
- https://twitter.com/bulkneets/status/795260268221636608
- There's processing which reads Javascript that is cut out of a picture file and made into blob. addScript adds itself to background.html (extension context).
- If the extension's localStorage's T variable is undefined, a setTimeout function of 4568904 milliseconds which sets T to the current time.
- Once the current time is set, the script from the from the picture file is read in.
-
If localStorage's ID property is undefined then it is defined as current time after 3600000 milliseconds using setTimeout.
-
Furthermore, ID's if the difference between value and the current time is greater than 86400000 millisecond, then an event handler is set on web request.
-
The script that is being read in dynamically is running on the web page being displayed, not the background page.
-
At that time, if there is a CSP header it disables
- Once the extension is installed, after about one day passes, the script injection on the page becomes enabled
- Once is enabled, on the website side the CSP settings are disabled
- On whether or not this is enabled, you will be able to tell if on a CSP enabled website you can preform actions that normally illegal on a CSP enabled site. For example, on the github developer console typing things like
document.write("<script>alert(1)</script>")
- I haven't looked into the script that is loaded dynamically.
-
Theoretically with the permissions of being an extension, anything you can send and receive with http, including the headers. However, since the dynamically loaded script in executed in the context of a web page, so realistically it can't go that far.
-
The modified response headers can be statically written within the extension
-
There are things that can be acquired, like user input into the website, contents shown on the page, cookies without the httponly flag, etc.
-
Chrome Extension's default CSP does not allow outside scripts loaded into the extensions context https://developer.chrome.com/extensions/contentSecurityPolicy
-
So, if it is not expressly declared with the manifest.json file to allow outside scripts, within the context of the extension execution of what kinds of scripts are unchangeable
-
So if the technique of script injection on a page is used, you won't for example get all the data stolen at the very moment the script is installed on a page
-
But the influence of the script will persist on all sites visited while the extension is enabled
- Judging by the extension's privacy policy's html and the script from AWS's URL, the service is using coolbar.pro
- On the site, is says that they are a service which is oriented towards the monetizing of extensions
- This code was acquired by another company wherein malware was inserted
- You can't register unless you have an invite code, so I couldn't tell what menus were there
-
The code itself does things like load in an outside scripts which become enabled after a fixed period of time, so it's a bit hard to detect its odd behaviors
-
It would be hard to catch the code hidden inside of the image through things like automatic scans.
-
Since they are using a method that is hard to detect which are the methods of malware
-
At the point that CSP is disabled on the client side, this is, to say the least, harmful