Tarnished Chrome | TechSNAP 146

Tarnished Chrome | TechSNAP 146

Facebook just paid out their biggest bug bounty yet, we’ll tell you about the flaw was so major it warranted a $33k bounty. Plus it’s been a bad week for Chrome security…

Then it’s a big batch of your questions, our answers, and much much more!

Thanks to:



Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

Facebook pays out biggest bug bounty ever, $33,500 after researcher gets ‘keys to the kingdom’

  • Reginaldo Silva, a Brazilian security researcher, found a remote execution flaw in Facebook and was able to perform various functions including coping the /etc/passwd file, getting him a list of the users that exist on the system, and could have changed the URL for the Google OpenID provider, in order to execute MitM attacks on users logging in to Facebook using their Gmail accounts
  • The original flaw was found in September 2012, when the researcher discovered an XXE (XML External Entity) bug in a Drupal blogs OpenID provider
  • After finding the flaw in OpenID, he tried the attack successfully against StackExchange
  • Later he also tried it against Google, while it worked, he was not able to read any files or make any network connections. For this he received his first bug bounty, $500 from Google
  • During the original investigation, he could not find a valid Facebook OpenID endpoint
  • Some time later, while investigating the Facebook password reset system, he discovered they still used OpenID for Gmail users to reset their passwords
  • Using the newly discovered endpoint, he still was not able to launch his attack, because Facebook only communicated with Google, and for the attack to work he needed to communicate with his malicious OpenID provider
  • After more reading of the OpenID spec, he found what he was looking for and was able to cause Facebook to contact his server, parse his malicious XML and cause Facebook’s servers to run code of his choosing
  • From this he was able to get a copy of the /etc/passwd from the server
  • Researcher’s Blog Post
  • Facebook Security Team Blog Post
  • Facebook Extends Bug Bounty Program

Security companies remove information about target breach from the Internet

  • One we had previously covered:
  • “On Dec. 18, a malicious software sample was submitted to ThreatExpert.com, a Symantec-owned service. But the public report the service generated vanished. “
  • However, as is often the case with the internet, someone (Krebs ftw) had a copy of the report and posted it
  • “iSight Partners, a Dallas-based cybersecurity company that is working with the U.S. Secret Service, published a series of questions and answers on its website related to the attacks on point-of-sale devices at U.S retailers. That too vanished on Thursday.”
  • “Intel-owned McAfee redacted on Tuesday a blog post from last week that contained technical detail similar to the ThreatExpert.com report”
  • When queried, a Symantec spokeswoman said “we took the initiative to remove it because we didn’t want the information to compromise the ongoing investigation.”
  • Alex Holden, founder of Hold Security, who worked with Brian Krebs on the Adobe breach, said it was the right move for Symantec to pull the report, as attackers might have been able to use the information to compromise other point-of-sale devices at other retailers
  • “I was surprised that this information was posted on the Internet in the first place,” Holden said. “Besides having a Target machine’s name and its IP address, system structure and drive mapping, it discloses a very vital set of credentials setup specifically for exploitation of the device.”
  • As many as six other U.S. companies are believed to be victims of point-of-sale related attacks, where malware intercepts unencrypted card details. So far, only Target and high-end retailer Neiman Marcus have acknowledged the attacks.

Adware vendors buy Chrome Extensions to send ad- and malware-filled updates

  • While Chrome itself is updated automatically by Google, that update process also includes Chrome’s extensions, which are updated by the extension owners.
  • This means that it’s up to the user to decide if the owner of an extension is trustworthy or not, since you are basically giving them permission to push new code out to your browser whenever they feel like it.
  • Ownership of a Chrome extension can be transferred to another party, and users are never informed when an ownership change happens.
  • Malware and adware vendors have caught wind of this and have started showing up at the doors of extension authors, looking to buy their extensions.
  • Once the deal is done and the ownership of the extension is transferred, the new owners can issue an ad-filled update over Chrome’s update service, which sends the adware out to every user of that extension.
  • A first-hand account of this, which was first spotted by OMGChrome, was given by Amit Agarwal, developer of the “Add to Feedly” extension.
  • One morning, the extension author got an e-mail offering “4 figures” for the sale of his Chrome extension. The extension was only about an hour’s worth of work, so Agarwal agreed to the deal, the money was sent over PayPal, and he transferred ownership of the extension to another Google account.
  • A month later, the new extension owners released their first (and so far only) update, which injected adware on all webpages and started redirecting links.
  • This isn’t a one-time event, either. About a month ago, I had a very simple Chrome extension called “Tweet This Page” suddenly transform into an ad-injecting machine and start hijacking Google searches.
  • Google has stated that Chrome’s extension policy is due to change in June 2014. The new policy will require extensions to serve a single purpose.
  • Chromium Blog: Keeping Chrome Extensions Simple


Round Up:

Question? Comments? Contact us here!