tuckner

More energized than ever after a week in Vegas Got the opportunity to give my first talk at summer camp which checks a box on my bucket list. Thankful for everyone I met, folks I got to catch up with, and the discussions that were had!

the girlies ❤️ @defcon.bsky.social @tracketpacer.bsky.social

#womenintech #networkengineer #softwareengineer #defcon

Have you ever been sad that malicious extension got removed from the marketplace before you could finish your incident report so you're missing a ton of details? Recent screenshots are being added to all extensions so you can see what was listed before it was removed.

Can't wait for Black Hat and Defcon next week! If you're around and want to meet up, please give me a shout!

THOUSANDS of extensions in the Chrome Web Store disappeared recently as Google continues to deprecate manifest v2. You can still access them by URL, but the search results are filling up with squatters like "bigjpgai" who copied and republished a version.

Secure Annex has been developing an MCP server to help folks understand browser extensions without having to install, download, or reverse them. Just ask questions about any extension and it will analyze enriched data while also digging files. If you're interested, get in touch!

Don't get caught out with your installed extensions when new research starts dropping!

Risky Business Weekly (799): Everyone's Sharepoint gets shelled Risky Biz returns after two weeks off, and there sure is cybersecurity news to catch up on. Patrick Gray and Adam Boileau discuss:* Microsoft tried to make o...

Browser extensions scraping the web from your browser without you knowing? Deemed malware, many of these extensions have begun to be removed from extension marketplaces. Catch the rundown on the latest Risky Business

youtu.be/Xs3q4LG5yvg?...

You can bet it will be solved when we figure out a way to show advertisements from your pacemaker

Apparently it is no longer malware, nothing to see here

Microsoft has flagged this package as malware, but it is apparently still listed in the VS Marketplace. What is the deal?

Interestingly the UUID of the package has changed so it got reposted after removing the malicious code?

marketplace.visualstudio.com/items?itemNa...
github.com/microsoft/vs...

Perceptron Network, the largest extension using Mellowtel, has been removed by Google for malware. It loaded the scraper without opt-in on installation. Perceptron claims it is a mistake and is asks users to install manually now.

First identified here - secureannex.com/blog/mellow-...

Removed from the VS Marketplace on 7/21, what I assume is a new variant of the ScreenConnect remote PowerShell executor. Instead of getting a script from a now known malicious domain, they seem to have pivoted to Discord webhook responses.

Extension -
dafsfsdsfdfsdf11.randomic-slaying-pog

Software extension management model A guide for managing software extensions installed in browsers and code editors

What stage of the software extension management model are you in? Visibility, evaluation, requests, or monitoring? What do you wish you could be doing better?

secureannex.com/blog/softwar...

It has gotten incredibly hard to verify extension publishers in the Edge web store. There are no longer any links to support resources or signs that a publisher is who they say they are. For example, clicking on this owner just links to a basic privacy policy. How does that help?

Yuuuuuummmm

That is a lot of Salesforce access included in this browser extension for sale

A new era of browsers are being built to displace Chrome... all likely built on Chrome. What does that mean for extensions? They will continue to exist as they do today as my first experience with Comet was it deactivating uBlock Origin. Seems like profile management still works.

Two different extension developers complained on Mellowtel's Discord server about having their extensions banned by Mozilla after media coverage of the fact that ~1m systems are running extensions that use Mellowtel to route web scraping traffic through users' devices.

@techlifeweb Ah that's a shame

YouTube video by Matt Johansen what the hell is going on with extensions turning into malware?

Fantastic rundown and behavioral analysis of the recent software extension events from @mattjay.com.

www.youtube.com/watch?v=o9XB...

Found 5 malicious extensions in Firefox (2 still active) that:

1. Have keyloggers and form data stealers
2. Squat on popular extensions
3. Attempt to steal cookies... but fail because they use Chrome APIs

Some of the most blatantly malicious ones I've seen. All caught by just URL.

-Hafnium APT member arrested in Italy
-VenusTech and Salt Typhoon leaks
-Russian drone volunteer group gets hacked
-Satanlock shuts down and leaks all victim data.
-Browser extensions hijacked for web scraping botnet

Podcast: risky.biz/RBNEWS449/
Newsletter: news.risky.biz/risky-bullet...

Jfc

Mellow Drama: Turning Browsers Into Request Brokers How the Mellowtel library transforms browser extensions into a distributed web scraping network, making nearly one million devices an unwitting bot army.

Want to know who is behind Mellowtel, the indicators you can hunt for, and the impacts to your organization? The latest @secureannex.com blog covers all of that.

secureannex.com/blog/mellow-...

Even if you didn't see the iframe loaded, you can inspect your browser console to see the requests made on your behalf. The iframe even takes the loaded content and returns it back to a Mellowtel domain and a Lambda function for further processing.

How is this easily done? Well Mellowtel removes security headers which prevent this using the "declarativeNetRequest" permissions putting users at risk!

the content script which injects a hidden iframe into your current webpage and load the requested website.

Did you catch it?

With the websocket open, instructions begin to stream into the extension from server. These instructions generally consist of URLs and how they should be loaded by the extension. There seems to be some connectivity check done by the service worker before passing the URL to...

The first thing the library does is measure your bandwidth so it knows if you have a reliable connection or not for their requests. Once completed, it creates a websocket connection to a callback server.