Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Protect against browser extension injected Javascript code

Browsers allow extensions to inject code, manipulate the DOM, etc.

Over the years, I have noticed lots and various uncaught errors (using window.onerror) on a website (app) I am watching, generated by unknown browser extensions on Firefox, Chrome and Internet Explorer (all versions).

These errors didn't seem to be interrupting anything. Now I want to increase the security of this website, because it will start processing credit cards. I have seen with my own eyes malware/spyware infecting browsers with modified browser extensions (innocent browser extension, modified to report to attackers/script kiddies) working as keyloggers (using trivial onkey* event handlers, or just input.value checks).

Is there a way (meta tag, etc.) to inform a browser to disallow code injection or reading the DOM, standard or non-standard? The webpage is already SSL, yet this doesn't seem to matter (as in give a hint to the browser to activate stricter security for extensions).

.

Possible workarounds (kind of a stretch vs. a simple meta tag) suggested by others or off the top of my head:

  • Virtual keyboard for entering numbers + non textual inputs (aka img for digits)
  • remote desktop using Flash (someone suggested HTML5, yet that doesn't solve the browser extension listening on keyboard events; only Flash, Java, etc. can).
  • Very complex Javascript based protection (removes non white listed event listeners, in-memory input values along with inputs protected with actual asterix characters, etc.) (not feasible, unless it already exists)
  • Browser extension with the role of an antivirus or which could somehow protect a specific webpage (this is not feasible, maybe not even possible without creating a huge array of problems)

Edit: Google Chrome disables extensions in Incognito Mode, however, there is no standard way to detect or automatically enable Incognito Mode and so a permanent warning must be displayed.

like image 800
Tiberiu-Ionuț Stan Avatar asked Sep 19 '12 12:09

Tiberiu-Ionuț Stan


People also ask

What is JavaScript injection?

A JavaScript injection attack is a type of attack in which a threat actor injects malicious code directly into the client-side JavasScript. This allows the threat actor to manipulate the website or web application and collect sensitive data, such as personally identifiable information (PII) or payment information.

Are browser extensions a security risk?

Not only could a browser extension track every page you visit, download your passwords, and your personal information, but by downloading a dangerous extension, you could inadvertently download malware, adware, and trojan horse viruses.

What is Chrome extension inject JS?

JS Inject. Create, save, and inject javascript code into web pages. This extension allows you to write, save, and execute javascript into web pages. You can save scripts to be run globally (on any page), on a specific domain, on a specific page, or via a "URL contains" string.


1 Answers

Being able to disable someone's browser extension usually implies taking over the browser. I don't think it's possible. It would be a huge security risk. Your purpose maybe legit, but consider the scenario of webmasters programatically disabling addblockers for users in order to get them to view the advertisments.

In the end it's the user's responsability to make sure they have a clean OS when making online banking transactions. It's not the website's fault that the user is compromised

UPDATE We should wrap things up. Something like:

<meta name="disable-extension-feature" content="read-dom" /> 

or

<script type="text/javascript">     Browser.MakeExtension.MallwareLogger.to.not.read.that.user.types(true); </script> 

doesn't exist and i'm sure there won't be implemented in the near future. Use any means necessary to best use the current up to date existing technologies and design your app as best as you can security wise. Don't waste your energy trying to cover for users who souldn't be making payments over the internet in the first place

like image 108
Vlad Balmos Avatar answered Oct 06 '22 00:10

Vlad Balmos