{"id":17502112,"url":"https://github.com/itstorque/cookie-hijacker-chrome","last_synced_at":"2025-06-29T06:08:04.145Z","repository":{"id":77107582,"uuid":"475665494","full_name":"itstorque/cookie-hijacker-chrome","owner":"itstorque","description":null,"archived":false,"fork":false,"pushed_at":"2022-05-18T19:25:03.000Z","size":200,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-28T19:27:33.847Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/itstorque.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-30T00:37:56.000Z","updated_at":"2022-05-18T19:22:05.000Z","dependencies_parsed_at":null,"dependency_job_id":"f4610d1c-bec3-4752-8bc0-1ea5a5b1497d","html_url":"https://github.com/itstorque/cookie-hijacker-chrome","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/itstorque/cookie-hijacker-chrome","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itstorque%2Fcookie-hijacker-chrome","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itstorque%2Fcookie-hijacker-chrome/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itstorque%2Fcookie-hijacker-chrome/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itstorque%2Fcookie-hijacker-chrome/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/itstorque","download_url":"https://codeload.github.com/itstorque/cookie-hijacker-chrome/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itstorque%2Fcookie-hijacker-chrome/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262545037,"owners_count":23326660,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-19T20:38:20.794Z","updated_at":"2025-06-29T06:08:04.129Z","avatar_url":"https://github.com/itstorque.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Cookie Hijacking Malicious Chrome Extension\n\nThis was developed as a proof of concept for stealing cookies through a malicious\nchrome extension. Goal is to at random intervals after rest, query all cookies\nand send them unsuspiciously to a separate server where cookies of multiple\nusers are installed.\n\nProof we can hijack user sessions and alter the effectiveness of 2FA apps. This\nextension uses strong permissions which should be seen as a red-flag when \ndownloading an extension - please get your chrome extensions from the official \ngoogle webstore and revise the permissions they require!\n\n[@tareqdandachi] developed the extension source and [@ashika-verma] developed the\nserver where scraped data is stored.\n\n## Potential ways of getting on the chrome store\n\nTo pass security checks from google chrome store [pass manual and automatic checks]:\n\n- minification\n- change variable names\n- make sure we follow legal instructions to not raise suspicion (no `eval()`, outside js scripts)\n- minimize number and sensitivity of permissions\n- hide sketchy services inside nice ones, i.e. bug report\n- idle time, make the extension not run for some time after installation, this will confuse scrapers\n- minimize number of requests we send through randomization and timing\n- ideally send requests when the user wants to send a request.\n- be very clear about what our app does (ofc skipping the malicioius part)\n- post a privacy policy\n- \"An extension must have a single purpose that is narrow and easy-to-understand\"\n\nSee [Deceptive Installation Tactics FAQ](https://developer.chrome.com/docs/webstore/deceptive_installation_tactics/) and [Developer Program Policies](https://developer.chrome.com/docs/webstore/program_policies/)\n\n#### Separately we need to look into compliant disclosure\n\n\u003e A disclosure must include two components, along with any additional information the developer considers necessary for the user.\n\u003e The fact that a user will be installing a Chrome browser extension.\n\u003e What the extension does. Content in both the marketing and installation flow of an extension must clearly outline both the principal and significant features of your extension. Burying this information in unrelated text is considered a violation of this policy.\n\u003e In addition to including these components, the disclosure must comply with the following:\n\u003e Disclosures must be in readable text and utilize contrast to ensure the disclosure is legible. Disclosures in an image or audio form must be accompanied by a text disclosure.\n\u003e The disclosure must be above and clearly associated with the first link or button that leads to the Chrome Web Store.\n\n## Extension Facade\n\nWe need to mask our extension with things that require access to cookies and send requests.\nIdeally it would require the same permissions if we were to engineer it that way. It would be\nnice if we can make the user interact and ask for requests from the server.\n\nPossible masking:\n- encrypter app for extra security (this is cool because the user will often send requests and we can mask our work with them)\n- memey canvas to lmod\n- cookie clearing\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fitstorque%2Fcookie-hijacker-chrome","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fitstorque%2Fcookie-hijacker-chrome","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fitstorque%2Fcookie-hijacker-chrome/lists"}