Web Developer for Chrome Malicious Code Injection and Ad Fraud Vulnerability

A supply chain vulnerability was introduced in the Web Developer for Chrome extension, specifically in version 0.4.9, after the extension's developer account was compromised through a phishing attack. This malicious version contained code that generated a domain via a Domain Generation Algorithm (DGA) and fetched a remote script. This script, once loaded, could inject additional modules that performed extensive ad substitution and malvertising, displayed fake 'repair' alerts redirecting users to affiliate programs, and attempted to harvest credentials from users logged into certain services, including Cloudflare. The injected components could enumerate common banner sizes for ad substitution, replace third-party ad calls, and redirect traffic to affiliate landing pages. The vulnerability allowed for user-level code execution in the browser context, facilitated large-scale ad fraud and traffic hijacking, enabled credential theft, and exposure to additional malicious payloads. The issue was reported by the extension's maintainer on August 2, 2017, and was remediated in version 0.5.0.

Impact

The vulnerability led to unauthorized code execution within the browser, allowing the injection of scripts that could manipulate web page content, hijack advertising traffic, and replace legitimate ads with fraudulent ones. It also included a credential theft component, specifically targeting Cloudflare login information, which could be exploited for further malicious activities.

Reproduction

The vulnerability can be reproduced by installing the compromised version 0.4.9 of the Web Developer extension from the Chrome Web Store. Once installed, the extension will automatically execute the malicious code, which includes fetching and executing additional scripts from the actor's server.

Remediation

Users are advised to update to version 0.5.0 of the Web Developer for Chrome extension, which has been reviewed and is safe. Additionally, it is recommended to change passwords for any accounts logged into while the compromised version was active, particularly for Cloudflare accounts.