 Uh, so I'm Matt Johansson, Matty J, whatever you want to call me. Oh, uh, I'm Kyle Osborn, or the cause. This is cause, baby cause, sure. Oh, uh, I'm the cause. A lot of people know me as Jack Bauer now. So that's kind of cool. The internet's Jack Bauer for the LA Times. And someone joined, I don't know who it is, but someone's on. Who is it? There he is, cool video chatting with us on our Chromebook. So, uh, we both work for White Hat Securities, uh, Threat Research Center. That sounds pretty much as epic as it gets, right? But, um, we are web app hackers, uh, you know, you want to talk about it? Oh, yeah, yeah. I'm an application security specialist, uh, blah, blah, blah. Offensive security, fun stuff, uh, likes to make things scarier than they actually are, but not flood-like. Kyle breaks things. This is our obligatory, what our company does. We scan websites for vulnerabilities just past 4,000 sites. Very cool. Don't care. Okay. So, the CR-48, this is what started this whole mess. This is what started our research. Kyle's sitting on Google Plus on it right now. Uh, this is the beta version of the Chromebooks that came out back in the fall of 2010. Who, uh, who had a beta CR-48 in the room? Sweet. Yeah, they were sitting on about 25,000. You have yours right there. I have an extension I'd like you to install. So, uh, so, uh, they were sitting on about 25,000 of these. They mailed them out. They gave White Hat 1, uh, for us to hack on it and we wouldn't be here if we didn't, right? So, we found some pretty cool things. Um, so, before the CR-48 came out, Chrome OS was out as an open source project. You could install it on whatever machine you were running, whatever VM you were running, that kind of thing. It was the first device that actually was dedicated to it and, uh, you know, utilized all of its features. Utilized all the security features that, uh, Google put in place. Um, yeah, another thing is that, uh, this is no longer a beta product. Uh, these are, these are out in the public. Samsung put them out as Chromebooks. Did anyone buy them? Cool. See if you, nice. Alright, so yeah, they're, they're out there. They're in production right now. Um, so yeah, what we know about Chrome OS, right? It's a, it's a web-based operating system. Uh, we were actually shocked when we opened this laptop that it was just a browser. It was just Chrome. We were like, oh, okay. A machine with Chrome on it. I already had one of those. But, so, uh, this, this is all it is, right? It's just Chrome. So, um, in order to get any functionality out of this, besides the web browser, you got to use the extensions in the web store. It's kind of like the Apple App Store, but they obviously couldn't call it that. Um, so, because of all of that, uh, nothing is stored locally, right? The hard drive, you have no access to it. As a user of this device, you cannot touch the hard drive. Uh, there, you can't store anything on it. It's small anyway. Uh, you know, nothing is really on it. The file system is there. It's just Chrome. Um, so because of that, it's pretty fast. You open these things up and they're on, you're online, you're on the web browser. And, uh, Google's kind of pushing you towards storing everything in Google Docs or, you know, your Google Music, anything like that. They're pushing you towards the cloud, right? So, um, you know, this is what they're putting up against the iPads of the world, right? This is what they're putting up against Apple. Uh, you know, they're trying to steal some market share and it could very well sneak their way into the market. These, the Samsung Chromebook only came back, came out in June. So even though we've had these CR48s for a while, they've only been available for public purchase for a few months. So we don't really know what it's going to look like if, uh, this is going to steal a bunch of market share or not. So the analogy that we like to make, I've made it a few times already, is, um, that these things are kind of like mobile devices but with keyboards, right? So it's an iPad with a keyboard, but it's just a web browser on it. Um, so the same way that on those phones, like an iPhone or something like that, is very locked down. And in order, you can't install anything on it. You can't just go ahead and install Microsoft Word on your iPhone, right? Wouldn't that be cool? But, uh, in order to do anything with it, without jailbreaking it, you gotta go to the App Store, right? So how many people in here have more than three pages of apps on their iPhone in their pocket? Okay, a bunch of you, right? So people go app crazy, right? You gotta download a bunch of different things. Um, so those of you who have iPhones and have installed all these apps, how many of you have seen the permission warning that comes up, right? This app that you're about to install is going to have access to your GPS location, your call history, your text messages, your mother's maiden name, your social security number, all that kind of things, right? Who's hit cancel because of that pop-up box? Oh, not enough of you. This is Defcon. Come on. All right. So the same thing kind of happens in the Chrome Web Store when you go to install extension on Chrome. Right below the install button, it says what websites that extension is going to have access to talk to you. So we'll see some more examples of this in a second. Oh. Another thing we want to point out is that with the App Store, there's actually a code review process, or not necessarily code review, there's an application review process, sort of like a Q&A sort of deal going on. It's not a security review as far as I know, but the Chrome Web Store doesn't have any sort of Q&A process going on. So you go immediately from the third-party developer to the Google Chrome Web Store for anybody to download. So a lot of these extensions are developed by third parties, right? It could be Zynga, or it could just be a person, right? Google also has a bunch of extensions in there, but we found vulnerability in those, too, right? So there's the other thing I wanted to talk about. Oh, yeah. So because of the lack of review process in the Chrome Web Store, you can look it up right now. There's an extension called Cookie Stealer. I promise we didn't make it, but it's called Cookie Stealer, and that's what it does, and it's available for download. We're going to demonstrate a malicious extension that we developed later on in the talk. It's called We Named It Malicious Extension with no legitimate purpose whatsoever. I did upload it. And it got into the Web Store, no problem, right? You could have downloaded it. Well, we'll show it later. It's not there anymore. He took it down right away. I only let a few people download it. We put the icon as a picture of Justin Bieber. It had four million downloads. Okay. So what does a hacker see, right? So we're looking at this Web Store as web hackers, like heaven, right? This is a brand new attack service for us. This is months old. It's not even years old yet, right? So I'm sure this room, more than anyone knows, early on in our product lifecycle, where does security come into play? Just non-existent, right? So it's not making money early on. It's costing money, right? So a lot of these extensions are just coming out now. So, of course, they're going to have security holes in them, because that's what we find. Especially now, because it's all just HTML5 and JavaScript. So why do you need to worry about security in HTML5 and JavaScript? You do most of that stuff server-side. There are not very many attacks that a server can't block that get reflected back to a user with HTML5 and JavaScript. So the other cool thing about a lot of these Chrome extensions, it makes them different than a lot of Firefox or Safari or Internet Explorer add-ons and things like that, is these are just mini websites. They're just used to help increase functionality of these Chromebooks, especially, but the Chrome browser, right? You can install any of these on your machine right now. A lot of them just take up very little screen real estate, which is really important with what started the whole mess. So this is kind of their version of Notepad. It's called Scratchpad. It's just note-taking application. It was pre-installed. It was the very first one on the CR-48. Who's used it? Who's seen it? Who has CR-48 Scratchpad? All right, cool. So it's a little nifty note-taking thing. And the other feature that's cool about it is that it automatically syncs to your Google Docs account in a folder called Scratchpad. So when you're writing up your shopping list or whatever you're doing in this little tiny mini-website in the bottom of your screen, it syncs to your Google Docs account. Another feature of Google Docs that we've used in this exploit was that you can actually share a document or a folder with someone else who's using Google Docs and they don't have to give you permission to get that folder or document, right? Which has been, I guess, mostly okay because Google Docs is pretty well protected. But the Scratchpad extension was not, right? So we could go ahead and share our malicious document, which you'll see in a second. Do you have anything you want to say? Right. So just the key points that we wanted to push is that it comes default. Everybody that has Chrome OS has it. You can install it on Chrome. What was it? You're authenticated to your Google account to use it, right? The main feature is that it syncs to your Google Docs accounts. You're definitely authenticated. Everyone has it. It's on every single one of these Chromebooks and you don't need permission to receive anything. And then on top of that Google Documents lets you share across or lets you share to anybody without notifying them or allowing them to accept it. It just automatically goes into their documents completely stealthy if you want to. So not only do they not need to give permission, there's a nice convenient checkbox when you share a document that says turn off email notification to the person . So we can go ahead and share the document without the permission and they'll never even know that it happened, right? And this automatically syncs to scratchpad. So Google fixed this cross-site scripting bug right away, but I found it within half an hour of opening the CR48. It was the very first extension I opened. I threw in a tag. No sort of filter. I didn't do any crazy WebHacker stuff. I threw in a tag. And we were like, oh, what can we do with this? So at first we were trying to steal OAuth tokens that it was using and things, but then we just realized that it was talking directly to docs.google.com and www.google.com. So we were able to do some cool stuff. So we have a video since they fixed it right away. Right. So this is in Fall 2010. There's about 30,000 users at the time. Those are either Chrome users or Chrome OS users that come default. On the bottom right, you can actually see the little yellow box there that is the permissions it gives you that it needs to actually function, which is access.google.com and docs.google.com And your browser history. And your browser history for some reason. So we're going to go ahead and show intent and functionality, which is actually just adding a document and syncing it. So this is a regular users account. So here is the sync right there. So there's actually a scratchpad folder on the left if you can see that. And that's actually where all your documents are stored. And that's important to remember that it's in that scratchpad folder because we're going to be utilizing that feature to attack this victim. So we're going to go ahead and move over to the attackers docs and you can see there's an inject right there that a document right there that has a HTML and JavaScript in it. That's completely sane inside of docs.google.com. It's not being rendered. There's no JavaScript being executed. It's just the title of the document. So from... Can you guys see the URL that we're calling? Ah. So we're basically using an onmouseover event just for illustration purposes. This could all happen automatically, but we're going to use an onmouseover event to fire our JavaScript and it calls out to an external JavaScript file on Kyle's domain.imawesome.com and that's the external JavaScript file. It expired so if you want to go buy it I guess I could have sold it here and made some money. Yeah, now we're going to share it. So we're actually going to be sharing the scratchpad folder. Now when we share the scratchpad folder from the attacker to the victim, the full folder actually gets moved over. So right here we go ahead and throw the user ID or the username, the victim's email address into there and we uncheck that little nifty checkbox that says Send me... Send email notification. So we can just simply share it to the user without any sort of notification. So go ahead and share it. We'll zoom back right over to the victim's account and in just a second his Google account will sync with a shared scratchpad folder. There it is. And then in just a second it's going to sync with scratchpad. Now this is just an on mouse over event so just a link with a JavaScript event. We can make this all automated. There's no reason that we couldn't just make it pop. So what we're doing here we sourced in that JavaScript file into this completely sane extension provided by Google and we have now taken over the extension. So we made some nifty buttons at a JavaScript that do exactly what they say on them. Right, for the purpose of the demonstration there are buttons all automation is pretty basic. So the first button actually grabs your Google contacts. Because you're logged into Google and scratchpad needs to access google.com we can just pull down google.com slash contacts. So I can have scratchpad just make a request, pull down the export functionality, pull all down as nicely formatted CSV format. Thank you Google. And then I can wrap that up. It's very possible. I can just wrap that up and spit it back out, send it back to the attacker without the user ever really noticing. Another bit of functionality that scratchpad app has, because it has access to docs.google.com and www.google.com I can actually spawn a tab with one of those host names in it and then I can inject JavaScript into that frame. There's a nifty built in function called execute script. Yeah, tabs.execute scripts. So it's great because now we can effectively inject JavaScript to any web page we want. And in the scope of this app it's only docs.google.com and www.google.com but we can effectively inject our own JavaScript into these web pages without any sort of vulnerability in these web pages. So there's no cross-site scripting that we know of in Google.com that we're utilizing here we've simply just injected the JavaScript directly into the DOM via these extensions. And so you can see on the screen we just you know, stereotypical alert box with the cookie in it. So what we could have done here is shared a malicious folder with a malicious document with someone that we knew that was using scratchpad automatically execute JavaScript in the context of it. Grab your whole address book and your session and then force you to share that same document with everyone in your address book and so on and so forth. And let's head and not notify anyone that we did this. So it's potentially a zero-click silent worm, right? So we can go ahead and just go steal every session of anyone who was using scratchpad at the time. One click if you had to open the extension. But this all could happen automatically if the extension was open. So how do we do this, right? So we've been talking about permissions a little bit here and there, right? So if you guys have played around with Chrome extensions at all, when you have them installed locally, the permissions are actually set in a file called manifest.json and basically it just tells you what websites this extension can talk to. Scratchpad can talk to docs.google and www.google. But of course it can, right? So like, if you install a Google document note-taking app, of course it's going to be able to talk to Google documents. Why would that stop me from installing it? But the cool thing here is that not only the permissions are set by the third party developer, right? So if they don't know any better, what do they default to? Talk to every website. You know, I don't want to deal with this later and it breaks something. So we've seen some, we've seen some extensions out there that have these widowed permissions just basically star, can talk to star that don't need it. But the other kind of scary thing is that some extensions need that permission. Something like an RSS reader, right? Is there any way to blacklist or whitelist an RSS reader for what websites it's going to be able to talk to? So if you have an RSS reader extension, it's going to need to talk to every possible website that's going to have an RSS feed on it. So it's going to have wide open permissions. And again, Google does not check these extensions or the permissions that are set by the third party developer before they're uploaded to the Web Store. All right, so a quick overview of the APIs that, as an attacker, I found interesting. So the first three bookmarks, cookies, history, those basically allow me to access, edit, do we insert bookmarks, cookies, and history. This is great because I can kind of pull down your whole history, all your bookmarks, all your cookies, and then if I want to make trends I can figure out which websites you go to most often. I can stage attacks based on that information. Or if I have direct API access to all of your cookies, I can just pull down all of your cookies and impersonate you on every website that you're currently logged in and have a session with. Now, windows and tabs. Windows and tabs, pretty much all the extensions have this. This is basically the API that allows them to create popups, create new tabs, and create new windows. It's pretty standard. This is also the... Or talk to any currently open tab or window. So if an extension needs to talk to a website that you're currently open, it doesn't need to pop something up or let you know. And this is the awesome one because this is the one that has the functionality of tabs.executeScript. So most of the extensions utilize this API, and most of them have the ability to call the execute script functionality. And that's great because if most of them have it, it just means it's that much easier for us to code into websites that we feel necessary to. So on the bottom there, you see that's a screenshot of what the manifest.json file. Like a sample manifest.json file. It just had permission to storage, notification, tabs. Tabs is what we're talking about. That's cool. And then you'll see a sample wide open permission kind of regex. So it can match on any protocol, any domain, any path. Any protocol is kind of tricky here. It's not actually any protocol. It's either HTTP or HTTPS. So even though it's a star, it's just those two things. We can't start initiating FTP connections and stuff like that through these things. And you see that scene very often. There are extensions in the wild right now with cross-executing. Every once in a while I pull down the top 1,000 featured or most popular extensions. I go through and I parse the manifest.json files and there's a good percent that we have exactly that. And of those, I can usually find a few that have vulnerabilities. So what are we looking for now? As web hackers, we're not looking for buffer overflows or anything like that in your software security. It was perfect. We were giving this talk at the executive briefing at Black Hat. It was a little quick couple of minutes of it. And this guy was talking before me and he was talking about, I couldn't have asked for a better person to be talking before me. He went up to ASLR and DEP and all this kind of stuff. Comparing Windows 7 and OS 10 and the latest and who's more secure. He gave this whole talk about that and I got up there and introduced ourselves and I said, this is exactly why we don't care what he just talked about. We don't give a shit about ASLR or DEP, anything like that. We're talking about everything in the web now. I don't care about what's on your hard drive. These machines are not going to be able to make you lose your job quickly. Even if they did, you're storing everything in the cloud anyway, right? We were just able to hijack everyone's Google account. How many people live in Google? I know I do. It's all my email. We were cracking up. We were using Google docs to pass outlines for this talk back and forth through each other. We just found a vulnerability in it. While we were testing Scratchpad, I also shared with you that we're looking for a new set of usual suspects. We're not looking for insecure software on your hard drive or anything like that. We're looking for extensions that are going to take input from somewhere and display it back on the screen for cross-site scripting vulnerabilities. We're going to look for extensions that perform some sort of sensitive administrative function for you conveniently on some website for CSRF vulnerabilities. We're going to look at some of the web hacks that everyone's known about for decades. We're not doing anything fancy here. I don't want to write crazy buffer overflows, ASLR depth bypasses, anything like that. We're just writing JavaScript and we're doing some pretty cool stuff. The other unique thing about these extensions is if you find cross-site scripting on a website, you can attack the users of that website. If you find cross-site scripting on an extension with wide open permissions, that's completely different. We're not seeing that a lot today. This is kind of new. So we have a direct quote from Kyle here. So why are we going to spend all this time? Why are we going to spend all this time trying to learn assembly code or anything like that when JavaScript is really easy? So it says this small child. That is a quote that I said. So cross-site scripting is going to give you everything we want and more. Exploit development is hard. I don't have time to learn it. I'm not smart enough to learn it. Kyle agrees that I'm not smart enough to learn it. All these APIs are really easy and callable by JavaScript. Maybe we can get a memory-based malware keylogger in this system if it really felt like trying to break the sandbox or something like that. No one even showed up at Cansec West to try to break the sandbox. That's not what I'm going to spend my time doing. The return on investment isn't worth it there. The impact is so high with these vulnerabilities but the learning curve is so low. It's really just JavaScript. Most of the attacks can be done in two to five lines of JavaScript and it would be pointless to really do any sort of in-memory malware because as soon as you reboot the machine it's lost. Your attack window is shorter amount of time and you can't really do much once you get the code execution. The hard drive is read-only besides your home directory but nothing in your home directory is executable so you can't even maintain persistence with native code execution. The other thing that we haven't seen yet that we're seeing here is if we're going to fix this besides fixing just the cross-site scripting holes a lot of the sanitization might have to happen client-side. These extensions are locally. Usually when you fix cross-site scripting you're doing some sort of input validation or output encoding on the server side. What if these extensions don't talk to a server at any point? They're just grabbing information locally, things like that. Then the sanitization might have to happen client-side. That's crazy. We don't even know what that's going to look like. Let's get to another fun demo. This is a purposefully malicious extension that we threw together just to demonstrate the one really. This extension pretty much has the same permission levels as the scratchpad extension does. It's nicely named malicious extension. Anything we do here we could have done with scratchpad. I can't do it anymore because Google fixed it. Actually, I take that back. The only difference between a scratchpad extension is that instead of having only access to Google.com, we have access to star colon slash last star. We can access any domain, any hostname, any protocol. That's actually very common. There are extensions out there, RSS readers, things like that. I think at the time the top rated RSS reader and the top used RSS reader had an access bug in it and had permission to talk to every website when we found it back in December. This is just a little easier to demonstrate. With this extension here I'll go to maximize. Great. With this extension here we just have the nice little buttons again. Of course, we've seen the Google contacts. We can just pull that up and there you go. There's your Google contacts in a nice CSV format. This is a fun one. Did you update this? Yeah, we did. Who wants to come up on stage and type their phone number in? Wedgie. I promise it's a password field. No one will see it. One, the area code and your number. No, no. What we're doing here since this extension has permission to the whole website, it also has permission to Google Voice. We're actually able to hijack that Parse Google Voice at CSRF token on the fly. And then spoof a text message. Actually, I changed it. It's no longer a text message. It's spoofing a phone call. As a user, I wanted to get someone to call someone. I would have Matt with a vulnerable extension. I would pop his extension. Then I would force a phone call to his phone and then that would call whoever I wanted it to be. Our last one was also a text message. But it's not limited to that. We can pull down your call history. We can pull down your voice mail. It's really not limited at all. Your phone ring? Not yet. Mine ring. No. It's using the victims Google Voice account to call you. As an attacker, you were just using my Google Voice account which then called you. That could all be automated again. It's just buttons because they're pretty. The demo gods are not smiling. Another fun one which is Execute Alert. Execute JavaScript, same thing with Google.com. We're just going to go ahead Google.com, Facebook, JavaScript injected, Twitter, Yahoo, and Chase is still giving some air. Let's just go ahead and pretend there's an alert box there. Will it actually work? Look at that. These websites don't have any vulnerabilities in them. I'm sure they do. We don't have permission to test that. We haven't exposed or utilized any vulnerabilities in these websites. We're just injecting code to them. We can go one step further instead of alert. Why don't we just inject a JavaScript key logger? There's your in-memory malware. You now have a key logger in every page that you go to. It's not just spawning tabs. I can contact tabs that are already open and inject as much or whatever I want. We can listen for what tabs you're opening. We can view your history via the history API. We can watch I Love Lucy. I Love Lucy. Another fun one which hopefully doesn't kernel panic your Mac again. We can actually do XHR scans. Because we have access to colon, star, dot, star, whatever, we have access to everything. This also includes IP addresses. We can actually use XHR requests to scan your local subnet and look for anything listening on port 80. We'll go ahead and do this on this one and we'll see if anything pops up and hope to God that it doesn't dot. The button doesn't work. That's sad. We can basically do any port that's not restricted by the browser. The browser has it hardcoded. You can't access port 20 through 25. You can't do IRC. You can't do SMB stuff. You want to be able to do SMB scanning in the network to look for windows hosts. You could pull down a local list of web servers in your local area network. I could potentially fingerprint your internal network by taking over one of your extensions. Scan your internal network. Look for fancy things. Say you have Gira listening. Or maybe there's printers there that I can take advantage of. Who was at our black cat talk? Anyone? We found a printer. We did the XHR scan and there was a printer listening and we did that. It was pretty awesome. I don't know why this isn't working now. It's probably somewhere. There may not be anything. We might be segregated. It's cool because you can see it do its little thing here. It scans really fast. It made all those requests at the same time. It's a very quick scan. We can pull back not only the fact that the host is up to the content on all the pages we're requesting. We can pull back the full HTML page and the headers. If you do have Gira or some wiki or ticketing system on your internal network, we can pull that back, parse that page and find out exactly what it is. From there, we can, as an attacker, go, okay, great, you have Gira. I have Gira zero day. From your web browser, I'm actually going to own your Gira server. Load up a interpreter session and suddenly I have a shell from your Gira server that I attacked from your browser calling out back to me and I have a real shell on a server inside your network. So... Who uses LastPass? Who's heard of it, uses it? For those of you who don't know what it is, it's a password manager. Us as security guys, we're always telling people hey, you need to use different passwords for everything. Use a different password for every website or any of them all. This LastPass is actually a website that makes that a little bit more user friendly. You go there, you make one password for LastPass, it generates passwords for all your different sites, stores them securely. It actually is a really awesome service. Kyle used it and that's why we found the vulnerability in it. They have an extension in Chrome. It had cross-site scripting in it when we first were testing it, but they fixed it right away. They've actually been really awesome to work with. We're really into it right now. So this is kind of our demo of we can own an extension that has no vulnerability in it that's doing absolutely everything correctly and it's pretty cool. Right, so when I was testing the LastPass extension, I did find a vulnerability. Some pretty hard to manage on drag, whatever. They fixed that pretty immediately, but I realized as I was testing it, there's this functionality of the extension that'll, as long as you're logged into the extension, it'll automatically log you into the LastPass website. So if you're logged into the extension like you are, I mean, you're going to be logged into the extension if you're browsing in it. You want to be able to access your Gmail account without being logged in. You don't want to have to re-authenticate. So you've always got the little red square up there saying that you're logged in. So when that's a case, you can go to LastPass.com and it'll automatically log you into LastPass.com. It does this because the extension notices that you went to LastPass.com and it kind of handles the login process for you. It lets the server know that you're actually logged in and then it passes your local crypto key from LastPass to the web browser, to the frame. So real quick, LastPass, like Matt was saying, great service, it handles all of your encryption locally. So your database that you send them is all encrypted. Your password is never actually sent to them. It's all stored locally. It's all in the DOM. It's all decrypted in the DOM with a representation of your password. So anyway, it passes that local key to that frame. Now we can take advantage of this automation because we can, if we say we own an RSS reader, just Joe Schmo RSS reader, some third-party developer that doesn't really know anything about security, but makes some great extensions and, say, has like 500,000 downloads in the app store right now. We can spawn a tab for LastPass, where, of course, not speaking of any actual top-rated RSS reader with a vulnerability in it currently or anything like that. So we can spawn a new window with LastPass. What this does is the LastPass extension then goes in and notices that window. So it thinks that you open that window and that you want to go to LastPass.com. So it automatically logs you in to your online vault and, you know, you can change settings there and all that and access all your passwords. And that's great. But instead of allowing the user to do that, we're going to have the extension automatically open this window, allow the extension to log you in and then inject JavaScript to pull out your crypto key. So now I've got your private key to decrypt your database. Then I'm going to just, you know, grab your database because I can do that. It's very trivial and we're going to demonstrate it right now. We can just decrypt it locally in our hacker den at home. It's like a man cave but with more green lights and Neo. So we're logged in right now. We've got recently used so, okay, Google and a bank. So if we go ahead and click grab LastPass database it's going to spawn it up. It's going to automatically load it up. So we're logged in. No prompt from the user. In just a second it's going to, you know, change. So, okay, so here is your actual crypto key up there. It's a weird way of passing it between the extension. Now I grabbed your database and then I just decrypted it on the fly right there. So what we can do with this is we can just grab the database, send it back to us with your key and then suddenly I've literally got the keys to the kingdom. I don't know about you guys but I put way too much information in my LastPass extension. I've been using it for about two months and I probably have close to about 50 sites or more that I just use because I slowly switching away from my weaker passwords to the long random stuff. But that doesn't matter if an attacker can just come in and literally steal my LastPass database and cryptographic key. That's my password too. So we did this at Black Hat and we didn't actually write this as not really my password. DefCon don't try to log in. And someone logged in and sent us an email. They were very nice and they didn't change the password on us and lock us out but we didn't trust you guys. You look shifty. All you evil hackers. Anyway so the important thing to know about this is that there's no vulnerability in LastPass at the moment. We're not taking advantage of anything that LastPass is no cross-site scripting that we know about. What we did find they fixed immediately. The extension itself is not vulnerable anymore and actually this functionality is no longer there. They made it so you actually have to click it from within the extension. It's still ownable but the extension doesn't automatically log you in but if you are logged in we can still own it. So it's not as automatic and cool as what our demo was but it's still ownable. And that is the last version of LastPass. You're all safe now I promise. So we're running out of time so let's try to fly through some of this. How many of you guys know what beef is? You've heard of it. How many of you know what Metasploit is? So beef is kind of like the Metasploit of the web app. So you can store a lot of preloaded payloads and things like that to do cool stuff and help making hacking websites easier. So if you find cross-site scripting vulnerability in a website instead of just hoping that your JavaScript does what you wanted it to do the first time that you pass this injection you can pass it a beef hook which is what it's called it actually maintains access and you can just replay attacks over and over again. So it makes everything that we did just really, really easy. So I made this even easier and I pretty much just took all of the demo functional I did and I threw them into beef extensions beef modules. So now when you own an app all you got to do is hook beef and suddenly you have beef inside the extension you can maintain access and you can send commands as you want. I'm not there yet. So first check permissions like if you don't know what extension you're in for whatever reason all the extensions we tested are all local so we don't really need to check the extensions but if somehow you manage to own an extension that you're not really familiar with you can hit this module and it will give you all that information. Execute tabs, execute arbitrary JavaScript inside of all tabs. So if you want to inject a key vlogger it's pretty simple and my favorite is to inject beef. So basically if you have tabs open and I want inside of those tabs instead of doing execute tab I can just inject beef into those tabs. So I suddenly go from one beef session to 50 beef sessions because you have 50 tabs open. So now not only I'm inside your extension but I'm actually inside bankofamerica.com I'm inside your PayPal account I'm inside of every website that you currently have opened and it's very simple. Yo dawg I heard you like beef so I put beef in your beef so you can beef while you beef. Perfect. And the other three just do kind of with the other demos that we had. So basically our main point that we're trying to push here is that this is kind of the same problem we've been dealing with forever it looks different. So this isn't the end all be all of security but it's definitely a step in our direction. It eliminates a lot of modern malware and viruses because you can't talk to the hard drive but it doesn't mean that we still don't want the information that you're storing on the internet now and if you're using one of these devices you're being pushed very heavily to store a lot of information on the internet in order to get functionality of these. So like I said we're not looking for these buffer overflows, underflows any sort of stuff like that. We're just looking for cross-site scripting which is the most widely available on the web today. And since you're literally taking the desktop out of the desktop operating system you have to rebuild all the functionality that you're used to with your desktop operating system. You don't have a calculator anymore so you have to download a calculator extension. You don't have a mail client so you have to use some mail client or notification system to recreate that. So one of the things, one of the first things that people ask as soon as I tell them about any of this research is what about the sandbox? I hear about this chrome sandbox did you guys break it? Did you guys break the chrome sandbox? Oh my god, right? We didn't break it, we just went around it. These extensions actually live outside of the sandbox so what the sandbox does for anyone who's not familiar is it isolates each tab from any other tab that's open and also isolates that tab from the hard drive. So that's why it eliminates a lot of the modern malware and viruses that we see today. They actually control their own kind of intertabular communication and again I made that word up and I think it's awesome. So these extensions completely control the communication on their own the permissions that are set locally and they live outside the sandbox so instead of breaking it we're walking right around it. We pour water in your sandbox and make it all muddy. So again just a harp on this the permissions are set by the third party developer. They're not set by Google and they're not checked by Google. But a lot of that stuff that Google did put in place has made some awesome improvements in security. We're just kind of here to say hey that's not it that's not the end all be all. One other really cool thing that they did the Chrome Web Store is explicitly we're not allowed to attack the Chrome Web Store via any extension. It's actually hard-coded into the Chrome source that none of the extensions can interact with the Chrome Web Store. And the reason they did this is because if we could we could force you to install extensions. So we can kind of do a privileged escalation right. So if you had a scratchpad installed with the vulnerability they could talk to docs.google and we could force you to install an extension with wider permissions then we could do some more stuff but we can't do that. They thought of that way before we did so. So we're going to fly past this because we didn't do too much research on it but nifty new feature of Google themarket.android.com who's used it who knows what it is. Okay cool a bunch of you. So you can install apps on your Android phone from the internet that's not blacklisted. So we can actually force install apps onto your phone via cross-scripting. And because it's part of Google services as soon as you go to that website you're automatically logged on and your phone is listed literally open up a tab spit some JavaScript at it and force you to download and install our own malicious extension again I'd probably adjust in Beaver wallpaper and then we can just harvest information off of your phone without you ever knowing because it doesn't really prompt you on your phone it doesn't tell you that something's about to be installed it just tells you Justin Beaver Live has been installed. Yes. Finally got it. So just in discussion with the Google security team we've been talking to them this whole time they're really cool guys. One of the ideas that they have for fixing this in the future is creating more restrictive APIs for common use cases things like RSS readers they're going to eliminate a lot of the risk involved with that they're going to try to create APIs for extensions that absolutely need to use this wide open permission set in order to function properly this unfortunately does not eliminate the threat of a developer not knowing any better and creating an extension with wide open permissions so it's just for common use case APIs so it's not going to eliminate it but it could reduce it. That's it. I have one more thing to know clap clap One more thing that we wanted to note is that all of this is the same for Chrome browser the only difference between Chrome OS and Chrome browser on a Windows, Mac, Linux machine is just another operating just another browser so you're probably not going to be installing tons and tons of extensions unlike the Chrome OS One other thing to note is unlike Chrome OS the Chrome browser can install extensions with binaries on them plugins so LastPass actually has the ability to sync your LastPass logged in status among your other browsers using the binary we can actually interact with some of those binaries with JavaScript and I haven't looked into a whole lot of it but with LastPass alone there's functionality to read arbitrary files on the file system so if I own your LastPass extension not only do I own everything in LastPass I can read random files from your hard drive as I feel Cool. Thanks guys. We'll be in the Q&A. Thank you.