• Building Chrome Extension Skimmers

    by  • March 27, 2012 • Uncategorized

    Maybe I am trendy, but every time I am working on something new, along comes a company making a post about it. It spreads all over and leaves me wondering if my million dollar idea is now just a meaningless stream of ASCII. It’s times like these that I find it best just to dump the code and let others use it.

    There has been talk about malicious chrome extensions lately as if they ever went away. A couple years ago I took the liberty of creating a Wachovia chrome extension that allowed you to view your bank account balance without ever leaving your page, except it didn’t do that at all.

    Not only is it hard to see where our encoded code exists, but the use of jQuery can also be practical as you can use it within your pop-up component of the extension. Making use of both components makes the extension less suspicious. 

    Developer X is Hacked

    Assume for a moment the developer of AdBlocker is hacked. That extension has hundreds of thousands of users of which could easily be skimmed at any moment. What would happen if you modified the source, included a skimmer and re-uploaded? It doesn’t appear like anything would happen. In fact, I have seen extensions completely remove all functionality they originally had yet still have no issues staying inside the Chrome store. This makes me worry about how often these extensions are checked and removed if at all.


    Chrome extensions haven’t changed and their security is no different than it was years ago. The recent hype that these things could be bad and think twice before installing has held true ever since the store was created. I would bet skimmers like the one documented above exist now with little disturbance and high success. 

    I documented this process not to cause some mass skimmer craze, but to really bring awareness to the issue. Articles often miss the technical details of these topics and how easy it is to do it yourself. I will release the code used to generate the extension guts after my talk at InfoSec Southwest. There is a short script that takes in the code you wish to encode and the key and outputs the end blob.