Critical Thinking - Bug Bounty Podcast

Episode 95: Attacking Chrome Extensions with MatanBer - Big Impact on the Client-Side

Oct 31, 2024

In this enlightening discussion, MatanBer, an expert in browser extension security, shares his insights on the intricate architecture of Chrome extensions. They dive into threat models, focusing on content scripts and service workers, highlighting vulnerabilities in isolated environments. Key topics include the nuances of message passing and the security risks posed by poorly secured implementations. MatanBer also unpacks clickjacking and phishing scenarios, stressing the critical need for robust security measures to prevent exploitation.

01:56:23

Creator website

Episode guests

MatanBer

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Understanding the structure and components of browser extensions is crucial for identifying potential vulnerabilities and attack vectors.

Content scripts, operating in an isolated world, can manipulate DOM elements, making them susceptible to exploits like clickjacking.

Service workers play a vital role in managing communication within extensions, requiring keen insight for effective security assessment and exploitation.

Extension pages can pose significant security risks through cross-origin interactions, especially if they allow unsafe communication with external origins.

Deep dives

Introduction to Browser Extensions and Security

Browser extensions are often an underserved area in terms of security, making them a prime target for vulnerabilities. The podcast highlights the importance of understanding the structure of browser extensions to identify potential attack vectors. Three primary components are discussed: content scripts, background scripts (or service workers), and extension pages. Understanding these components is essential as they dictate how extensions interact with web pages and each other, leading to various security implications.

Intro

2min

Understanding Browser Extension Security

17min

Navigating Chrome Extensions and Security

7min

Understanding Chrome Extension Security and Attack Vectors

4min

Understanding Chrome Extension Security

4min

Exploring Shadow DOM and Security Risks in Browser Extensions

9min

Exploiting Content Scripts in Chrome Extensions

6min

Exploiting Browser Extensions: XSS Risks and Vulnerabilities

17min

Exploiting Browser Extensions: A Phishing Deep Dive

4min

10.

Navigating Browser History Manipulation

7min

11.

Exploiting Chrome Extensions: An In-Depth Analysis

9min

12.

Exploring Service Workers and Communication in Browser Extensions

5min

13.

Connecting Chrome Extension Scripts

10min

14.

Unraveling Chrome Extension Vulnerabilities

16min

Episode 95: In this episode of Critical Thinking - Bug Bounty Podcast In this episode, Justin is joined by MatanBer to delve into the intricacies of browser extensions. We talk about the structure and threat models, and cover things like service workers, extension pages, and isolated worlds.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Sponsor - AssetNote. Listen to their podcast https://www.criticalthinkingpodcast.io/sspod

Today’s Guest: https://x.com/MtnBer

Resources

Universal Code Execution by Chaining Messages in Browser Extensions

https://spaceraccoon.dev/universal-code-execution-browser-extensions/

DOMLogger++

https://github.com/kevin-mizu/domloggerpp

BBRE Metamask bug

https://youtu.be/HnI0w156rtw?si=QixP8SX6JuRFz6PA

Bench Press: Leaking Text Nodes with CSS

https://blog.pspaul.de/posts/bench-press-leaking-text-nodes-with-css/

Timestamps:

(00:00:00) Introduction

(00:03:08) Structure & Threat Model for Browser Extension

(00:28:28) Extension Attack scenarios

(01:01:26) Attacking Extension Pages

(01:26:35) Attacking Service Workers

(01:46:23) Getting source code and dynamic debugging

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Critical Thinking - Bug Bounty Podcast

Episode 95: Attacking Chrome Extensions with MatanBer - Big Impact on the Client-Side

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Introduction to Browser Extensions and Security

Content Scripts and Their Attack Model

Understanding the Background Scripts (Service Workers)

Extension Pages: A New Attack Vector

Debugging and Analyzing Browser Extensions

Dynamic Debugging: Service Workers and Extensions

Exploring Attack Scenarios: Cross-Origin and External Messaging

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights

Critical Thinking - Bug Bounty Podcast

Episode 95: Attacking Chrome Extensions with MatanBer - Big Impact on the Client-Side

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Introduction to Browser Extensions and Security

Content Scripts and Their Attack Model

Understanding the Background Scripts (Service Workers)

Extension Pages: A New Attack Vector

Debugging and Analyzing Browser Extensions

Dynamic Debugging: Service Workers and Extensions

Exploring Attack Scenarios: Cross-Origin and External Messaging

Get the Snipdpodcast app

AI-poweredpodcast player

Discoverhighlights

Save anymoment

Share& Export

AI-poweredpodcast player

Discoverhighlights

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights