Chromium, along with Internet Explorer, uses the system-wide proxy settings and certificate store, so an attacker could exploit this to pass all traffic from the Avast SafeZone or Bitdefender Safepay browsers though a proxy server he controls and perform man-in-the-middle interception using the new root CA certificate added to the system.
This attack would also bypass Chromium's public-key pinning protection, which is supposed to detect whether the public keys used for the certificates of some popular websites such as Gmail or Paypal have been changed by a man-in-the-middle attacker, Balazs said.
The user will not receive any certificate warnings inside the browser because Chromium allows user-installed root CAs to override pins, a design decision explained by Google software engineer Adam Langley in a May 2011 blog post.
Windows does show a security prompt when a new CA certificate is added to the certificate store, but the malware is able to automatically confirm the action, so the user doesn't have to click anything.
A Bitdefender spokesman said Wednesday that "Safepay is designed as an additional layer of security to protect sensitive activities such as online banking or shopping. Although it has strong self protect mechanisms, Safepay is not a replacement for an AV [antivirus] product nor is promoted as such."
The product performs a security assessment to identify active malware on the computer before the secure browsing session is initiated, but if malware previously infiltrated the system and installed a rogue root certificate there is a chance that the session could be compromised, the spokesman said. "Nevertheless, this scenario is plausible when users don't have an antivirus product installed."
"We have an ongoing project that aims to discover Safepay's vulnerabilities in different scenarios (system or third-party related) and develop solutions to minimize the risks of compromised user sessions," he said. "The assessment of installed certificates on the system is at the top of our list."
Avast did not immediately provide a statement regarding this attack method.
Some security products recommended by banks to their customers and designed to prevent malware-related financial fraud were also found to lack protection against malicious browser extensions. Balazs tested six such products from different vendors, but only one blocked browser extensions in his tests.
Since then, a few more have added protection for this type of threat, but they use different approaches, he said. Some block all extensions while others detect only malicious ones, he said.