New Chrome Exploit Lets Attackers Completely Disable Browser Extensions
On October 31, GitHub user Echo, posted an exploit that targets Google Chrome and allows attackers to disable any extension installed on the web browser regardless of any policies in place. This exploit affects Chrome on all major operating systems – including Windows, Linux, and ChromeOS. Google confirmed that patches were recently issued for all Chrome browsers running v.106 and above.
The implications of this exploit stretch as far as the functionality found in Chrome’s 137,000-plus extension library.
The exploit posted by Echo, 3kh0/ext-remover (a.k.a. “Literally the Best Exploit Ever Found” or LTBEEF), consists of a bookmarklet exploit that allows threat actors to selectively force-disable Chrome extensions using a handy graphical user interface (GUI) that issues commands that Chrome mistakenly identifies as legitimate requests from the Chrome Web Store.
Here’s a visual demonstration of the exploit in action:
Exhibit 1: Confirm Google Chrome operating at v. 105 or earlier
Exhibit 2: Chrome browser extension management panel, where the ad blocker has a policy that is preventing it from being disabled.
Exhibit 3: After running the exploit – this GUI displays full access to the extension management panel.
Exhibit 4: Using the Ingot GUI, you can disable the ad blocker despite existing policy by simply toggling the slider.
Exhibit 5: The exploit was effective, successfully overriding the policy and disabling the ad blocker extension.
Browser Extensions Grow Increasingly Attractive as Both Targets and Vectors
While this particular exploit is new, the idea of targeting browser extensions is anything but. As web browsing becomes more and more central to the average enterprise employee’s work life, browsers themselves are becoming increasingly attractive targets to malicious actors.
Over the past few years, the number of Chrome zero-day vulnerabilities found exploited in the wild has risen dramatically, despite the efforts of a dedicated team with dozens of the world-class experts working full-time solely to nip such vulnerabilities in the bud.
But, when you open up the can of worms that comes with third-party Chrome extensions, the degree of dedicated defenses drops off a veritable cliff. People have been warning of the security risks associated with third-party extensions for years now — with even well-known security and anti-virus tools having been shown to produce more risk than protection (thanks to clunky code and attempts at monetizing user traffic).
The Trouble With Extension-Based Browsing Security Solutions
All of this brings us to the central issue at hand and a critical consideration for organizations deciding on which cybersecurity solutions to invest in:
No matter what the specific category or application, any cybersecurity solution that operates on the same layer it’s meant to protect is fundamentally flawed. In the world of browsing security, extension-based solutions are prime examples of this. Rather than operating as a separate, superior security layer, these tools rely upon the integrity of the very thing they are meant to protect — i.e. the browser itself.
As such, any exploit targeting the browser or its extensions — of which this latest LTBEEF exploit is a prime example — will render the security solution useless. In the case of LTBEEF, a malicious actor can simply open up their handy user interface, find your security extension, and toggle the slider to the “OFF” position. Yes, it really is that easy.
Red Access: Resilient, Reliable, Robust Browsing Security
Unlike extension-based secure browsing solutions, Red Access operates as a fully-independent, higher-level layer of security, which protects not only the web browser itself, but any and every web session regardless of where it originates — all without compromising the end-user experience, or saddling admins with yet another endpoint agent.
Ready to see the next generation of secure browsing in action? Start your free trial of Red Access today!
But, if there’s just one thing you take away from this blog post, it’s that security solutions should never operate on the layer they’re designed to protect. For the highest degree of security, solutions should operate as wholly separate, independent layers, that are not affected by exploits or vulnerabilities within the environment they’re meant to secure.