Chromium/Chrome Experiments in the wild

[Richard]

Hi Everyone

Shortly after Microsoft moved over to using the Chrome engine in Edge, my computers became a bit of a fun fair experience, just without the fun. The same had been happening to my mobile for a while before hand so the correlation of that change gave me a place to look.

I'm also seeking your input as subject experts because I can see things happening but need advice on how to pin it down because this has had real world impact on me; in terms of my ability to access information and worryingly - other peoples ability to access my information. 

I have a couple of questions (trying to validate the information I have and pinpoint when the attack happened);

1) For Chrome (browser) extensions below, what appears when you search for them in the web store?  

2)  Have you ever heard of a group called "Google Creative 5"; a think tank employed by google (or so the newsletter said)? I've been unable to find it in any searches since initially finding the application portal. 

3) How does Chrome/Chromium use entity names, IDs, metadata and other file properties in deciding what to do with that entity?  (see the IP lookup example below)

4) What controls would you recommend I put in place to ensure I can capture and submit this hack to the relevant authorities?

5) My Chrome version states "origin trial disabled" for secure payments, suggesting that origin trials are enabled elsewhere. Which flags is this referring to? *version at foot of message).

Details of the extensions:

When I reset my PC this time, I immediately installed chrome. It came with 4 extensions:

ghbmnnjooekpmoecnnnilnnbdlolhkhi        - offline file editor from google 

felcaaldnbdncclmgdcncolpebgiejap           - google docs

aohghmighlieiainnegkcijnfilokake                - google sheets

aapocclcgogkmnckokdopfmhonfmgoek     -google slides

All claiming to be by google. I now get different results

They all sounded very sensible, except that only the last three appeared as a chrome extension in the webstore. None could be exported (no manifest). I removed them. Now when I search the app names bring up different results. What does it say for you?

Changes after disabling:

Once disabled, ,my debugger began bulk downloading script files from an IP address. 142.250.179.230:80 - The important thing here is how IP lookup behaves:

WITH EXTENSIONS: My command prompt, lookup websites, and other tools (fing for example) would resolve an IP address INCLUDING the port, to a DIFFERENT server than the SAME IP address WITHOUT the port. You all know the port should never make a difference to the remote server location.

WITHOUT EXTENSIONS: All failing to resolve hosts when :port included in query (as expected)

Other main difference:

WITHEx: Websites such as Who.is (should be whois.net??) were functional

WithoutEx: Site not found. Worryingly it has started working again now.

WITHEx: My web/mail domain DNS looked fine.

WITHOUTEx: Showing serious errors, with implications for the data leaks I've been noticing.

The who.is site, and the port number iplookup is working again now.... sadly, meaning whilst I was typing, it has been re-affected.

USE OF ENCODING IN THE ATTACK

If you want to see a fuller explanation of the impact on normal operations it can be seen here: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/compromise-from-the-first-moment-we-open-a-browser/m-p/2555765

So unless there's a compromised certificate in the factory install of windows (which is possible!!) these extensions are my best lead. I also suspect a chromium engine linked as the google mobile services app reported on my phone suddenly reported "Chromium" as it's version number.... yes mismatching information, field name, and field value data  (quantity, type, use...)  is the theme of the day.

I noticed that the  ID of the extensions is base64 decodable

Using utf8, line by line

ghbmnnjooekpmoecnnnilnnbdlolhkhi     -1

felcaaldnbdncclmgdcncolpebgiejap        -2

aohghmighlieiainnegkcijnfilokake            -3

aapocclcgogkmnckokdopfmhonfmgoek  -4

The top line decoded into a string that when pasted into excel, merges all other strings after it into the same cell. 

None of them can return to the original format after decoding and reencoding, highlighting the abundance of control characters.

Decoding into WindowsCRL 1252 gave another effect, one extension split the line break, and a variety of reading reversals etc meant that when processed as a block, much information became hidden. Line by line encode / decode again failed to get back to the original. 

I'm concerned about this because something that can hide chunks of code in a given scope can easily be used to climb off the web page and into the URL, into the style sheets, into everything.... and once there, seemingly innocuous cookies suddenly become the worst thing to happen to personal security since .... well ever.

Chrome Version:

Google Chrome 91.0.4472.124 (Official Build) (64-bit) (cohort: Stable)

Revision 7345xxxxxxxxxxxxxxxxxxxxxb7d52649fe2ac38-refs/branch-heads/4472_114@{#6}

OS Windows 10 OS Version 2009 (Build 19043.1110)

JavaScript V8 9.1.269.36

User agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36

Command Line "C:\Program Files\Google\Chrome\Application\chrome.exe" --flag-switches-begin --flag-switches-end --origin-trial-disabled-features=SecurePaymentConfirmation

Executable Path C:\Program Files\Google\Chrome\Application\chrome.exe

Profile Path C:\Users\RichardDrozda\AppData\Local\Google\Chrome\User Data\Default