CursedChrome Turns Your Browser Into a Hacker's Proxy

Security researchers published a proof-of-concept Chrome extension that makes turns the browser into a proxy bot. That would allow hackers to operate on the web behind an infected user's identity.

The tool was named CursedChrome, made by security researcher Matthew Bryant. It was released as an open-source project on GitHub. CursedChrome operates with two different parts- a component on the client-side and one on the server-side of the tool. The former is the Chrome extension; the latter is a control panel where all CursedChrome bots are linked.

Once the extension is installed on a browser, the attackers behind it can log into the control panel to establish a link with each infected CursedChrome host. That connection between the control panel and extension ties it all together, a WebSocket connection working like an HTTP reverse proxy.

The attacker can navigate the web using the infected browser, once they have control over a bot. Doing so allows them to hijack any logged-in sessions, identities, and more. They can use those to access intranets and enterprise apps.

CursedChrome-type projects are the perfect tool for threat actors.

The extension's release was met with discontent among the cybersecurity community, with many opinions leaning against it. Security researchers believe releasing projects like CursedChrome only shows how low the bar for attackers can be for them to develop their malicious versions of CursedChrome in the near future.

CursedChrome Was Made as a Pen-Tester Tool

An email interview with Matthew Bryant revealed that this outcome wasn't his intention. He left the code as open-source because he wanted other professional pen-testers and 'red teamers' to accurately simulate a malicious browser extension scenario. Red teamers are cybersecurity professionals who get paid to break into companies to test security measures. Their work helps companies fix holes in their defenses and to keep attackers out of sensitive networks.

Bryant shared that open-sourcing tools is essential for red teams since it saves time for different companies. It helps them by ensuring they don't have to rewrite everything whenever they do a red team or a pentest. According to Bryant, CursedChrome is nothing an attacker can't build themselves, with the project using already existing technologies with no innovation brought into the mix. Bryant also shared that he has no fears that hackers may use his code. Using it in that manner requires the attackers to either host the extension in the Chrome store or having it installed through an enterprise policy in developer mode.

Bryant also mentioned that the first scenario wouldn't work, since the web store has a review pipeline. The second scenario requires the attacker to have access to a company's network already, he added. Bryant also noted he wanted to raise awareness on malicious Chrome extension and the damage they can do.