Hacking & Chrome Security

Recently I had been hacked by a clever technique through Google Chrome permissions using OAuth. As a developer I am often adding browser extensions and addons to applications. This hack came through an app-permission; Mobile or not, I do not know.

When inside GMail at the bottom right footer you will see a Details link, this will popup and show you activity of where/when/how you were logged into your mail web sessions. This includes mobile. You’ll notice a Sign out all other Gmail web sessions button, that’s important to know.

Important: Always keep this on: “Show an alert for unusual activity. change”.

Multifactor Notifications

I noticed odd activity when my phone was asking for verification for several websites rapidly. These sites were only banking and money related. I knew this was abnormal, not a glitch across several systems.

While it was happening and I was trying to figure out what was going on, I message my friend in Hangouts: “Hey, I’m getting hacked right now”. He is not average Joe but a very smart with business and life in general, he also has a counter-intelligence background, could he help? I don’t know but he knows about everything under the sun it seems.

He replied, “No, it has to be a family member or someone you know. It’s impossible anyone gets hacked as much as you”. I would think the same thing because I had PayPal hacked two months prior and had told him about the incident.

The previous hack was from a fifteen (15) year old eBay account using a grandfathered password of only five lowercase letters. Such a password and simple login (being a short original name) is insanely insecure. It was only of value with PayPal re-linked to ihe account.

You should always use MFA (Multi-Factor Authentication) on every website that has it. I use MFA/2FA (Two-Factor Authentication), which is why I received alerts. This is no guarantee to be hack-proof but it adds an extremely difficult layer of protection to any account you have.

In this instance MFA protected one bank account. The other was validated through an “alternative” method: Email, which is allowed on some sites when you don’t have your device. The hacker was not a rookie because I saw no email about this request. They had made sure to first “Mark as Spam” and “Block Emails” (via filter) for every website he was attempting to obtain access to resulting in not seeing any other odd activity.

The Chrome Hack

The way this happened was through an OAuth granted permission to my GMail account, through some Addon Application but I couldn’t figure out which one. All I have is the OAuth URL, *.googleusercontent.com.

With an App trusted to access my account, they were able to become a user on Chrome from their location, Authenticate as me and and Sync my Chrome settings. What does Chrome store? A lot if you don’t change it, including passwords. Ouch. How do I know? The Detail activity list in GMail provided the hackers IP had first authenticated via Mobile, then with a Chrome Browser.

At this phase, he had likely had a bookmark bar with links to a few financial places and saved passwords. I don’t use Google Chrome as a primary Password manager since I use several browsers, but enough was saved. You can export passwords from Google Chrome, so to be safe I have to change credentials to hundreds of sites if this was done.

Important: Secure all of your data from being synced with a different password other than your Google account at the bottom of this page chrome://settings/syncSetup. Under Encryption options, select the second option to “Sync with your own Passprase”. It crucial that it is not the same as your Google Login.

Back in GMail the popup containing activity had shown me all (two different total) IP’s coming from United States (FL) where I live. It seemed normal, and I use a VPN often so I could have overlooked this but I double checked the IP that was not currently mine at the time.

Hacker Speaks Briefly

Within thirty (30) minutes the hacker was able to check 3 accounts, one being a gift-card account I had to cancel an order to. I’ve never seen this before, but I think the hacker had to be irritated or disappointed I had no money to take.

I was able to stop any further after 30 minutes.

Who Is this IP?

I ran a WHOIS on the IP, you can do this in a terminal with $ whois, but I used a website incase the attacker did not yet have my IP, also because if they were tracing a whole-lot, a WHOIS query from a general place is less suspicious. However, if they were under a Proxy or VPN it’s likely they weren’t watching this (Most of these are shared/leased, using his own would be very stupid). This was happening in real-time so I was cautious as I was hustling.

I saw the IP coming from a SPRINT connection in Orlando and I’m about forty-five minutes away. Now I immediately pushed Sign out all other Gmail web sessions, but not before the hacker spoke in my Hangouts.

The attacker was not really in Orlando using their real IP, they were more than likely using a SOCKS 5 proxy to co-locate, a VPN would also work but SOCKS 5 often has more locations. and keep my account from popping up a “Suspicious Activity Alert”.

I would highly recommend using MFA for everything possible. The most secure way is to receive a text message, if you are using VOIP such as Google Voice, make a second account and have texts sent to that one. This way, your one account is not an all in one vulnerability.

Published 22 Dec 2018

We are always students.