CrossBarking Attack Targeted Secret APIs, Exposing Opera Browser Users

  /     /     /  
Publicated : 23/11/2024   Category : security


CrossBarking Attack Targeted Secret APIs, Exposing Opera Browser Users


Using a malicious Chrome extension, researchers showed how an attacker could use a now-fixed bug to inject custom code into a victims Opera browser to exploit special and powerful APIs, used by developers and typically saved for only the most trusted sites.



Researchers have uncovered a fresh browser attack that compromises private application programming interfaces (APIs) in Opera to allow carte blanche over victims browsers.
Browser APIs provide a bridge between Web applications and browser functionalities — including those related to security, storage, performance optimization, geolocation, and more — enabling the websites you visit to provide better, more robust features and experiences. Most browser APIs are publicly known, available to all, and rigorously reviewed.
Companies, however, have a habit of
giving special permissions to their own preferred apps and sites
. The Opera browser, for example, saves private APIs for several preferred third-party domains — such as Instagram, Atlassian, and Russias Yandex and VK — as well as its own internal development domains, and those that are publicly reachable in the production version of the browser.
These private APIs may be useful for developers, but researchers from Guardio demonstrated how they could be accessed by hackers, too, allowing cyberattackers an array of powers imaginable from a browser: changing settings, hijacking accounts, disabling security extensions, adding further malicious extensions, and more. They did so with a canine-themed proof-of-concept attack they called CrossBarking.
The goal of
CrossBarking
is to run malicious code in the context of sites with access to those powerful, private APIs. To do that, one could make use of, for example, a cross-site scripting (XSS) vulnerability. Or, even easier, a malicious browser extension.
Getting a malicious extension onto Opera is no small feat. Many a developer has complained about just how
drawn out
its manual review process can be — taking months or even
years in some cases
. The upside is the comfort that Operas 350 million active users enjoy: that the extensions they add to their browsers have been well and thoroughly vetted.
That isnt as much the case, however, for Chrome extensions, which Opera allows its users to download. Chrome add-ons undergo a largely automated review process, and might go live within just hours or days of being submitted for approval.
So, to leverage privileged Opera sites, Guardio researchers developed a Chrome extension, not an Opera one. They designed it to add pictures of puppies to webpages — a guise for running scripts on any given site — and covered its maliciousness enough to get approved on the Chrome store. If a puppy-loving Opera user adopted the extension and visited a site with private API access, it would perform a direct script injection attack to run malicious code and gain access to any powers afforded by those private APIs.
To demonstrate the full breadth of power afforded by CrossBarking, Guardio researchers targeted the settingsPrivate API, which allows for reading and editing any available browser settings. They used settingsPrivate to change a hypothetical victims Domain Name System (DNS) settings, funneling all of their browser activity through a malicious DNS server. From there, the researchers had full view into the victims browsing activity, plus the ability to manipulate the content of webpages or redirect the victim to malicious pages.
You could almost take control over the entire browser, and the computer hosting it, explains Nati Tal, head of Guardio Labs. Though his PoC focused on changing a specific browser setting, in the same way, you can change any other setting. There are many more APIs to hack — [we didnt] have enough time to check all of the possibilities.
In the eternal struggle between functionality and security, browser developers will not easily part with the special APIs that allow them powers beyond those afforded to the hoi polloi. That applies to Opera, and other browsers as well. In May, Guardio discovered a not-dissimilar issue with
a private API used for marketing
in another Chromium browser, Microsoft Edge.
To fix the CrossBarking issue, Opera did not do away with its private APIs or its Chrome extension cross-compatibility. On Sept. 24, though, it did adopt a sort of quick-fix solution already implemented in Chrome: blocking the ability of any extension to run scripts on domains with private API access.
The infrastructure of Chromium is [such that] vendors need to take control of their security, and think about all the possible attack vectors there are. There are so many possible vectors, Tal concludes.
He adds: In this case, again, it wasnt even in their [app store]. Opera is not responsible for Chrome Store, but they do allow extensions from there, so they need to think about it as well. [They have to see] the entire ecosystem, not only this vulnerability, to keep up with the threat.
In a statement to Dark Reading, a representative of Opera wrote that Responsible disclosure is a big part of our ongoing work with third-party researchers — it helps us identify security flaws and fix them before they have had a chance to be exploited by bad actors. We would like to thank Guardio for their diligence and care in reporting this issue, and we will be carefully reviewing the way that web app features are enabled in the browser to avoid similar issues in the future.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
CrossBarking Attack Targeted Secret APIs, Exposing Opera Browser Users