HACKING Google Chrome extensions

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right what's popping my dudes my name is faris hijazi today i'm going to be talking about hacking again today um i'll be talking about hacking a chrome extension so there's a chrome extension i hacked let me talk about what chrome extensions are first i'm just going to give you an example first this is google chrome i have google chrome open and this is ublock origin this is one of the extensions where you can add it and then once you add it for example once you open youtube it'll block all the ads this is an ad blocker this is one type of extension the most popular type another thing is uh this extension which makes everything dark mode so let me type in something randomly and you see google is dark so that's what an extension is it's a small piece of software that runs on your browser and could modify your pages all right so there's this extension tabs order two let's add it to chrome this is the one i hacked because they are asking us to pay so let's notice thank you for choosing step serger two we hope you enjoyed there are some features which are premium so not all these features exist we disable this they want us to pay made with love not really they want us to pay okay so we have to enable this uh what this extension does is basically it's a tab manager for example these tabs it can merge so if you have a bunch of different windows so now this window is separate from this window so if you press merge all it's going to merge all of them this window is going to go back to this window i don't want to press merge all because i have a bunch of other stuff open um we can sort so let's sort current ah okay so this is not in the wait is it working sorry tabs anyways so it's not everything is free okay so let's close this let's go back let me now that i have the extension installed let's go here scroll all the way down and this is the extension tab sorter two so this is tap starter two if i open it not everything is available so i press something it says unlock premium unlock premium let's just see how much their they want us to pay four dollars five dollars per month unreasonable monthly payment to use these features unacceptable all right so i just i was like man i really want to see if i can hack this because i was pissed i was angry um so let's go and check remember the first step of hacking is that you want to use the software normally you want to see how it's normally supposed to be used so let's take a look at this so here i'll put a bunch of stuff so it wants me to put a credit card obviously um and let's go powered by extension pay i'm noticing down here powered by extension pay so apparently this is some website which manages the payments i'm guessing so let's click on it and see what it does monetize chrome extensions and save weeks of work so basically apparently this tool is some code that's ready and it's a service for the developer to manage the payment because the developer of this extension doesn't want to ma build the payment it's it's not easy to build a payment gateway it takes time save weeks cool so these guys are cool enough to make the service and all you have to do and here's how the developer of this extension so remember the developer of this extension is not the same developer as these guys these guys give a service to make the payment easy for this guy so let's look at these guys let's pretend we're the developer something something something let's just zoom in something something and then stuff stuff and then if user paid here you you will put your app you will unlock these pro features if it's paid else ask the user to pay open payment page which is what happened to us okay i see so somehow we need to convert this to a true we need this statement to be true we need paid not to be false but to be true do you guys notice anything interesting here i am i'm noticing this is javascript it says right here background.js for the extension so this is running on the extension your extension background.js now what's interesting why am i interested in javascript all of a sudden the reason is because javascript runs on our client it runs on our browser not on the server what does that mean let's discuss that a little bit so let's discuss server and client so when i type something something into my browser i'm typing into my client and then when i say enter it's gonna send a message to google so if i'm googling something like cute cats it's gonna send cute cats to the server hey can i please have the search results server is going to say here you go and it's going to send them to my browser and i'm going to see it so cute cats boom this is running in our browser now we can't it's not easy to hack a server and tell the server what to do we can only ask it to do stuff but on our browser we can modify stuff we can delete this is the code this is the page basically just like if on microsoft word we can delete stuff we can delete stuff on this page so let's just start deleting stuff not only can we delete stuff we can rename them um yeah i just typed this in so here's here's another way so you can go into people's twitter accounts and open and and modify what they're saying but this is not going to modify the actual tweet it's only gonna modify it on your browser now if you notice here as soon as i refresh everything's back to normal that's because i did not change it on the server and sometimes and that's it's hard so it's hard to change it on the server basically imagine if i have a paper and i photocopied this paper and gave it to you i gave you a photocopy can you modify this photocopy yes you can you can draw stuff on this photocopy but will my original change no that my original will not change and that's the same thing here now it's kind of interesting when you can change the page but what's really interesting is when the code is on your side and you can do whatever you want with the code so i hope that's clear uh one more example is that imagine you are on your bank page you're on your bank website and you start changing the page and you have you set one million in your bank account is that going to change how much money you actually have the answer is no because this is just a report and you're changing the report it's not going to change the actual account okay now that the idea is clear of server and client let's get back to this all right so here's the extension which is not successful uh sorry not uh hacked yet so somehow i need to access the code so if you notice with your right click inspect element this is actually the stuff see we can we can start modifying the actual extension itself we can start pressing delete see i just deleted the whole thing um so basically because the extension is running on our page see how i can delete stuff because it's running on our client our browser it is up to us to change the code okay now i can change it through here however it's much easier if i just download the entire code and i'll show you how in a moment okay we're back so i just quickly googled how do we get the code of these extensions how do we access the code and it turns out the code is available um so i could go and open the website and do stuff but i found that there's something easier there's another extension which helps us download code for other extensions so you download it now i downloaded it let's and then it tells us we have to go to the page itself and right click download crx for this extension basically this is a tool that helps us download the code for other extensions so let's close this and go back to tabs order two this is what we want to hack we want the code so we can start modifying it we want to change this page into true we need to set this to true so that we can get all the pro features just let's go right click download crx download zip and we'll say yes save so let's just go quickly navigate to my downloads and i notice here it is tap starter 2. so i'm going to unzip this and that's the files these are the files for the extension so here's what i'm gonna do i'm gonna uninstall the official extension remove from chrome okay now i don't have it anymore however there is a way since we have the code here we're going to load this code and run it nothing's going to happen because we didn't modify the code yet so what you do is you go to the extensions page this is all the extensions you go to developer mode enable it so you so it allows you to load files load unpacked extension and go to tab sorter to that's the extension folder and select notice it's as if we just installed it it opens this page it's it act it's acting exactly like we just installed it from the store itself so let me close this let me oh go here and i found tab sorter2 i'm just going to pin it up here so we can see it and it's the same but it does work it does have the features good we know we have it and now all we have to do is modify the code so let's go here and we these are the code files.js so all the dot js i'm not sure which one i have to modify so we can just open all of them but these are just text files so you edit and here it is code but if you notice this is really difficult to understand um and what are these the the developer actually on purpose changed all the names instead of user and client number account instead of all these meaningful names they replace them with single letters so that it will be hard for people like me to hack them but this is not going to stop me so i'm just going to right click and open you can open them with any editor like notepad but i like to use vs code so i'm just going to open it with vs code and what we want to search for is definitely the js files these are the javascript files which have the code the rest of the stuff this is not really code this um this is just configuration telling us the names but okay let's get back so let's go here and let's we want to control f search for paid we want to search for paid i'm noticing we're finding a few paid that's good but the nice thing is vs code has an option to search all the files instead of one file at a time so let's go to this icon search all files and i want to go not just i don't just want to go to paid so we notice it's user.paid so let me search for user.paid and i get extension pay user i'm getting one paid at i'm not getting paid so if you notice up here so i'm just going to zoom in paid at this is not what we're looking for if you remember remember all those ugly variable names a b c c and so probably user the name user has been removed so let me delete that oh and we have a bunch of extra options so it's you up here you can see that there's a u u dot paid so let's just go to every single one of these so i noticed we have u.paid and b.paid g dot page so we just go over here and replace it with true so we go to every single one and then b dot paid because i i saw this a moment ago and g dot paid replace it with true cool now let's open it nothing has happened that's because we have to go to the extensions and where are we it's uh oh the tab sorter okay this is the one that's active this is the one i'm working on i already hacked this one before so let's go to refresh open boom all the options are now available get pwned hacked this is basically all we did is we just downloaded the code modified some stuff and ran it but i'm going through the entire process um in the description i'll link any details i'll link all the code the github everything um but but yeah i hope the idea was clear all we did is i just took a look how is it working and it's using an if statement on our pc anytime you use something on the client's pc they can modify it um so yeah like he tried to make it to change all those variable names so to ugly stuff so we can't understand and that's true i can't understand but the paid is still there so all we have to do is change the page all right i need to go to sleep i hope you guys enjoyed this and please leave a comment let me know if anything was meaningful not meaningful anything was confusing was i too fast but yeah i hope you enjoyed adios
Info
Channel: Faris Hijazi
Views: 10,113
Rating: undefined out of 5
Keywords:
Id: N13a4mov3QQ
Channel Id: undefined
Length: 14min 20sec (860 seconds)
Published: Sun Aug 28 2022
Related Videos
Beware Malicious Chrome Extensions!
ThioJoe
90K
3 Super Useful Chrome Extensions
Beebom
620K
How to LEARN HACKING
cazz
906K
Hacker101 - JavaScript for Hackers (Created by @STOKfredrik)
HackerOne
884K
Best Google Chrome Extensions for Web Developers
Brainstorm Force
19K
9 Cool Chrome (And Firefox) Extensions - You NEED to Check Out!
ThioJoe
183K
Top 10 Browser Extensions for Hackers & OSINT Researchers [Tutorial]
Null Byte
363K
The best Hacking Courses & Certs (not all these)? Your roadmap to Pentester success.
David Bombal
212K
6 Mind-Blowing AI Tools for 2023! (don't fall behind)
Productive Dude
224K
5 BEST Google Chrome A.I. Extensions
Kevin Stratvert
89K
Scraping google images to google sheets
Faris Hijazi
1.2K
Kid CHANGES His GRADES By HACKING, He Lives To Regret It | Dhar Mann
Dhar Mann
11M
How To Hack Chrome Extensions
JerryHacks
3K
Access Location, Camera & Mic of any Device 🌎🎤📍📷
zSecurity
874K
Coding A Chrome Extension For Concerts #tech #technology
Tiff In Tech
95K
how to check for hackers attacking your computer?!
Loi Liang Yang
81K
How to start making Chrome Extensions - Content Scripts, Pop Out, New Tab & Background Page
Rusty Zone
18K
Top 10 Web Development Chrome Extensions You Simply Need to Try!
JavaScript Mastery
54K
10 Useful Chrome Extensions Everyone Should Know! 2023
Brett In Tech
79K
What's new in Chrome Extensions
Google Chrome Developers
4K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.