Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PostMessage Security in Chrome Extensions

PostMessage Security in Chrome Extensions

Arseny Reutov

March 30, 2017
Tweet

More Decks by Arseny Reutov

Other Decks in Programming

Transcript

  1. $ whoami • Web application security researcher at Positive Technologies

    • Member of Positive Hack Days (https://phdays.com) conference board • Occasional web security blogger (https://raz0r.name)
  2. Agenda • Chrome extensions & their messaging • PostMessage security

    considerations • Mounting extensions analysis • The results! • The takeaways
  3. Chrome extensions ecosystem • Chrome Web Store is notoriously known

    in terms of security (unintuitive permissions dialogs, malware & insecure extensions)
  4. Extension manifest file { "name": “My Extension", "description": “My Super

    Chrome Extension", "version": “1.0", "background": { "scripts": [“js/background.js"] }, "content_scripts": [ { "matches": ["<all_urls>"], "js": ["js/jquery.js", "js/content.js"] } ], "permissions": ["tabs", "http://*/*", "https://*/*"] }
  5. PostMessage API Developer is in charge of origin validation window.addEventListener("message",

    receiveMessage, false); function receiveMessage(event) { if (event.origin !== "http://example.org") return; // checking origin host if (event.source !== window) return; // or origin window process(event.data); }
  6. PostMessage API • If origin validation is absent or is

    flawed, an attacker’s message data can reach dangerous pieces of code. • See “The pitfalls of postMessage” by Mathias Karlsson for common origin validation bypasses.
  7. PostMessage API • Unlike other DOM events, message propagation to

    listeners cannot be stopped via return false or stopPropagation(). • Extensions’ message listeners are not listed in Chrome Developer Tools.
  8. PostMessage Attack Vectors Method 1: iframes var iframe = document.createElement("iframe");

    iframe.src = "http://target.com"; iframe.contentWindow.postMessage("some message", "*"); Pros: stealthy Cons: killed by X-Frame-Options and framebusters
  9. PostMessage Attack Vectors Method 2: opening a new window var

    targetWindow = window.open("http://target.com"); targetWindow.onload = function() { targetWindow.postMessage("some message", "*"); } Pros: not affected by X-Frame-Options Cons: more noisy
  10. PostMessage in Chrome extensions • Chrome extensions use postMessage API

    to receive messages from external web sites (e.g. translator services) or within the same origin (especially in developer tools extensions) • postMessage data can be passed into background script context, and in some cases even reach OS via Native Messaging API
  11. The Research Steps • Parse Manifest file, find content scripts

    • Parse each content script with Acorn JS parser (https://github.com/ternjs/acorn) • Look for postMessage listeners with an Acorn plugin
  12. React Dev Tools • Prior to the fix message was

    validated by just checking a special property (which is user controlled):
  13. The takeaways • For users: – do not install shady

    extensions from unknown publishers – check requested permissions
  14. The takeaways • For developers: – pay attention to origin

    validation in message listeners – consider origin bypass tricks – do not rely on magic strings
  15. The takeaways • For browsers: – should provide built-in origin

    validation – see getMessage proposal by @homakov