Chrome extensions have opened a variety of opportunities for either users and developers, expanding the limits of what we've known as browsing experience. Attacker have also spotted the widely usage of such extensions, and abuse people's trust in Chrome Web Store to distribute malicious extensions. This allows them to run web-based bot attacks straight from victims' browsers, shending cross-site Ajax requests, resulting in impersonation of users in third-party websites. Furthermore, the detection of such bot attack by the attacked server is more complex than in regular distributed attacks, since real humans actually use the Chrome tab abused to attack the victim. The lecture will include an overview on Chrome Extension abilities followed by techniques to abuse them in order to run bot attacks, as well as distribute a malicious extensions to big crowds of victims.
