The Big, Bad, Cõc Cõc: Tales from a rather suspicious Vietnamese browser

Presented at ToorCamp 2018, June 23, 2018, 3:30 p.m. (20 minutes)

Pause for a second and consider the immense amount of incredibly sensitive personal data that flows through browsers. Sure we have things like the same origin policy that partitions browser data between different origins and helps protect us from malicious sites, but what about malicious browsers? In the modern era he who controls the browser is king, and if that party doesn't have your best interests in mind then there isn't much to be said about the sanctity of your data. Enter the Cõc Cõc browser. We stumbled upon this browser through some unrelated research and after a small amount of digging our spidey senses were tingling. In this brief talk we will cover some of the more salient points related to the security implications of using the Cõc Cõc browser that we found and the directions in which we'd like to dig deeper. While we don't make the claim that the browser is intentionally malicious, there are some oddities that deserve further analysis. Through this talk we aim to both answer the "why" behind some of these oddities and inspire other folks to dive in as well. For the uninitiated, this may be the first time you've ever heard of Cõc Cõc. We didn't have any idea of its existence until recently when we paid a "totally legitimate advertisement affiliate" to drive traffic to one of our IPv6 honeypots. As the firehose of "totally legitimate traffic" ran through our site we noticed a significant number of user agents sporting the coc_coc user agent string. From there we dove down a bit of a rabbit hole and learned quite a few things about this lesser-known browser: - The Cõc Cõc browser is mega cross-platform (even Windows phones!) - It's based off of a Chromium fork - The company behind Cõc Cõc was founded through a $100mm Russian investment - Instead of syncing your browser settings by logging in with Google you can log in with Facebook! - The browser reports ~50% market share in Vietnam - The browser has an embedded BitTorrent client (peer-to-peer communications, anyone?) - The browser has functionality that enables direct downloading of streamed media - Many of these browsers are providing "totally legitimate traffic" through "totally legitimate advertising affiliates" - Vietnamese media reports the Cõc Cõc organization as homegrown Vietnamese, whereas Russian media reports it as a Russian search engine If these things sound a bit off to you, then that makes three of us. Come join us for a quick adventure down Cõc Cõc lane!


  • Marc Newlin
    Marc is a red teamer by day, and SDR hacker by night, having disclosed wireless vulnerabilities to 21 vendors in the last two years. A glutton for challenging side projects, he competed solo in two DARPA challenges, although he never went to college. In 2013-14, Marc got into SDR by competing in the DARPA Spectrum Challenge, placing second in the preliminary tournament. In 2011, he wrote software to reassemble shredded documents, finishing the DARPA Shredder Challenge in third place out of 9000 teams.
  • lavalamp
    Chris Grayson (OSCE) is a security engineer at Snap, Inc. and the principal engineer at Web Sight. In these roles he conducts penetration tests, designs and implements distributed systems, and addresses security issues at scale. Chris is an avid computing enthusiast originally hailing from Atlanta, Georgia. Having made a habit of pulling things apart in childhood, Chris has found his professional home in information security. Prior to joining Snap, Inc. Chris was a founder at Web Sight, a senior penetration tester at Bishop Fox, and a research scientist at the Georgia Institute of Technology. During his tenure at these organizations Chris grew into both a breaker and a builder, becoming adept at compromising all manners of systems as well as designing and implementing mechanisms to protect them. Chris has spoken at numerous security conferences such as DEFCON, ToorCon, and HushCon, and attended the Georgia Institute of Technology where he received a bachelor's degree in computational media, a master's degree in computer science, and where he organized and lead the Grey H@t student hacking organization.