The researchers have found a new way to quietly set their extensions in Chrome and other chromium browsers. And all this without unnecessary warnings for users. The focus is how the additional installation settings.
Typically, the special JSON files in AppData are used for control, in which the extended utilities are installed and verification code (Mac) are stitched. But scientists have shown that these tests may be overlooked with just a neat record for the disc.
Method It works like this: First, the attacker calculates the ID of the desired expansion, then draws a secret key for the signature from the browser resource and creates the correct test code.
After that, it was still to rewrite the settings – and the browser obediently launched the left left of the left when starting. Moreover, there is no flag on the command line or downloading from the Chrome store.
A separate trick is the extension set out is Stomping Stomping, if the local expansion has the same ID with the official Chrome website, the local version will receive priority. And this is a direct path to hide the plugin allowed by administrators.
Even the group politicians in the domain network are not economical: they may be fake or simply remove the courses in the registration book (HKCU \ Software \ Policy \ Google \ Chrome).
For attackers, this means a quiet and reliable repair point in the system and for new guards – headaches. Experts recommend changing monitoring in installation files, checking the work shifts of the developer regime and monitoring suspicious editor in the register.
Therefore, research shows a weak location for the entire chromium architecture: Static HMAC lock and the availability of files to record. To close the loss, you will have to check more deeply into the system or increase encryption at the operating system level.
