October 30, 2024 at 09:22AM
Researchers revealed a new browser attack, “CrossBarking,” that exploits private APIs in Opera, granting hackers extensive control over users’ browsers. By using a malicious Chrome extension masquerading as a harmless app, attackers can manipulate browser settings, hijack accounts, and access sensitive information, highlighting security risks in browser API management.
### Meeting Takeaways:
1. **New Browser Vulnerability**:
– A recent attack has been identified that exploits “private” APIs in the Opera browser, giving hackers extensive control over users’ browsers.
2. **Understanding Browser APIs**:
– Browser APIs serve as a link between web applications and browser functionalities (security, storage, etc.).
– Most APIs are publicly available and undergo rigorous reviews, but some are classified as “private” by specific browsers.
3. **Opera’s Approach to Private APIs**:
– Opera provides “private” APIs to select third-party sites (e.g., Instagram, Yandex) and its internal domains, which could be beneficial for developers but pose a security risk.
4. **”CrossBarking” Proof-of-Concept Attack**:
– Researchers from Guardio demonstrated an attack named “CrossBarking” that uses these private APIs to run malicious code via vulnerabilities like cross-site scripting (XSS) or compromised Chrome extensions.
– A benign-looking Chrome extension (designed to display puppy images) was used to disguise the malicious intent.
5. **Potential Impact of the Attack**:
– The attack could change browser settings, including DNS settings, thus redirecting user traffic to malicious servers, allowing attackers to monitor and manipulate browsing activity.
6. **Current Security Measures by Opera**:
– Opera implemented new measures on September 24 to block extensions from running scripts on domains with access to private APIs, although it continues to allow these APIs and Chrome extensions.
7. **Ongoing Security Considerations**:
– Guardio researchers emphasize the need for browser vendors, including Opera, to consider the entire ecosystem and all potential attack vectors when evaluating security measures.
– There is a noted tension between maintaining functionality through APIs and ensuring robust security.
8. **Future Recommendations**:
– Continuous monitoring and improvement of security practices regarding the use of extensions and private APIs is crucial for protecting users.
These takeaways capture the essence of the meeting discussion surrounding the “CrossBarking” attack and its implications for browser security.