Chromium-based browsers, together with Chrome, Edge, and Courageous, handle put in extensions through JSON choice information saved below %AppDatapercentGoogleUser DataDefaultPreferences (for domain-joined machines) or Safe Preferences (for standalone methods).
Synacktiv analysis signifies that by straight altering these information, attackers could make the browser load any extensions with out the person’s consent or involvement from the Chrome Internet Retailer.
A profitable compromise includes three technical conditions: pre-calculating the extension ID, producing legitimate Message Authentication Codes (MACs) for each the extension entry and the developer_mode flag, and bypassing enterprise coverage controls.
Extension IDs are deterministically derived from the extension’s public key or set up path through a SHA-256 hash truncated to 32 hex characters and mapped to a customized alphabet (a–p).
Chromium’s integrity checks use an HMAC seeded with a static worth extracted from assets.pak particularly useful resource file 146 to signal important JSON keys.
Attackers reverse this HMAC algorithm to compute legitimate MACs for extensions.settings. and extensions.developer_mode, enabling silent registration of their backdoor extension.
Developer mode within the browser extension
Bypassing Chrome Extension GPO Controls
Enterprise environments generally deploy GPOs to whitelist or blacklist extensions via insurance policies like ExtensionInstallAllowlist and ExtensionInstallBlocklist.
Three superior evasion strategies undermine these controls:
Synacktiv acknowledged that by reusing the RSA public key of a corporate-approved extension (e.g., Adobe Acrobat Reader for Chrome), an attacker generates an identical extension ID.
They then inject a malicious unpacked extension below that ID, bypassing hash-based allowlists.
When an unpacked extension and a store-installed extension share the identical ID, Chromium prioritizes the unpacked model. This collision permits attackers to override trusted plugins stealthily.
Extension Stomping
Home windows applies insurance policies in LSDOU order. Though Chrome insurance policies reside below HKCUSoftwarePoliciesGoogleChrome, a neighborhood administrator can delete or modify the registry entries, eradicating allowlists or blocklists to sidestep coverage enforcement completely.
Leveraging these strategies, menace actors can deploy extensions that intercept community visitors, scrape session cookies, execute background service staff, and inject content material scripts into focused net pages.
A proof-of-concept toolkit from Synacktiv demonstrates distant SMB-based deployment alongside a customized C2 server, enabling JavaScript execution throughout the browser course of and undermining protections akin to App-Certain Encryption.
Securing towards this vector requires monitoring for unauthorized adjustments to choice information, validating registry coverage integrity, and detecting anomalous extension registrations.
With out such detection mechanisms, “phantom extensions” supply a stealthy, persistent path to enterprise-wide knowledge exfiltration and lateral motion.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
