Zero-day vulnerability in Infinity New Tab (Chrome extension)

Backdoor

The browser extension was hijacked on Google Web Store. The injected script was displaying and advertisement via alert10.js script, informing victims that their PC has been infected with malware and suggesting to purchase fake antivirus.

Vulnerability details

Advisory: SB2017081615 - Backdoor in Infinity New Tab Google Chrome extension

Vulnerable component: Infinity New Tab (Chrome extension)

CVE-ID:

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-798 - Use of Hard-coded Credentials

Description:

The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.

The vulnerability exists due to presence of backdoor code in Infinity New Tab Google Chrome extension 3.12.3, distributed via Google Web Store.


Known APT campaigns:

Attack against Google Web Store developer accounts

Accounts of several developers of Google Chrome extensions were compromised. The malicious actors published new version of Chrome extension, which contained backdoor code. The campaign has started approximately in March 2017 and continued in August 2017. The total verified number of compromised extensions equals 6. Approximate number of affected victims - 4.1 million, according to Proofpoint.
https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.