In 2019, a network of browser extensions, primarily for Chrome, was revealed to have been scraping sensitive data from as many as four million users. The scraped data included PII, browsing history, medical information, and more. The data was then monetized through a commercialization scheme. This breach became known as the DataSpii incident, and it shed light on the extent to which malicious browser extensions could compromise user privacy and corporate data security.
In the past years, the risk of malicious browser extensions has significantly grown. Malicious browser extensions can gather sensitive data, monitor online activities, inject unwanted advertisements, divert traffic to malicious sites, and even take control of a user’s browser. This jeopardizes users’ and organizations’ privacy, security, and overall online experience.
However, the traditional endpoint and network security stack is currently lacking when it comes to detecting and preventing malicious activities carried out through browser extensions. In this blog post, we will unveil how malicious extensions infiltrate devices and what companies can do to fortify their networks.
This blog post is based on the report “Unveiling the Threat of Malicious Browser Extensions”, which you can read in its entirety here.
Types of Malicious Extensions
Malicious extensions pose either an active or potential risk when installed on a browser. There are three types of malicious extensions:
- Initially malicious extension – An extension that was created by an adversary from scratch for a malicious purpose.
- Compromised extension – An initially legitimate extension that became owned by an adversary after directly purchasing the extension or compromising the extension’s developer account .
- Risky extension – A legitimate extension that has excessive permissions.
How Browser Extensions Get Installed
There are five methods in which a malicious extension gains residence on a victim’s browser:
- Admin – Extensions distributed centrally by network administrators within the company. These are extensions with explicit organizational approval.
- Normal – Extensions downloaded from official browser stores. Users install extensions by visiting an extension’s listing in the browser Web Store.
- Development – Extensions loaded from employees’ local computers.
- Sideload – Extensions installed by third-party applications, such as Adobe or other software providers.
- Software Update – Updating an extension that was compromised by an adversary after it was installed the first time and used for legitimate purposes.
Extensive Browser Extension Permissions
Browser extension permissions are the set of rules that dictate what actions an extension is allowed to perform within your browser. Permissions are requested and granted when users install an extension, and they can vary widely depending on the extension’s intended functionality.
Permissions are usually the cornerstone of extension-based cyberattacks. Once the extension is installed, the permissions can be used to carry out malicious operations.
Risky permissions include:
- Cookies
- Debugger
- webRequest
- <all_urls>
- Clipboard
- contentSettings
- desktopCaptureֿ\pageCapture
- History
- Privacy
- Proxy
- tabCapture
- https://*/*
For more details on how these permissions enable adversaries to infiltrate devices and access sensitive data, read the entire report.
How Malicious Browser Extensions Attack
Once installed and granted permissions, the extensions can continue to infiltrate the organization’s systems. The complete attack includes the following steps:
- The adversary creates the extension or purchases an existing one and adds malicious code to it.
- The extension is uploaded to a web store or to the adversary’s server.
- Users are lured to install the extension through social engineering or by sideloading the extension in the background.
- Once installed, the extension requests a range of permissions , such as access to the browsing history, personal data, and more.
- With permissions granted, the adversary can begin executing its malicious activities through the extension. For example, taking passwords, cookies, and certificates that are stored in the browser.
- Adversaries can blend in with existing traffic by communicating using the OSI application layer protocols.
- Adversaries can exfiltrate the data that’s captured or extracted by the extension by various channels. They often prefer using standard web protocols due to the common lack of outbound traffic inspection by firewalls/proxies.
- There are numerous ways a malicious extension-based attack can cause harm, depending on the intentions of its initiating threat actor. These include:
- Malicious access to organizational resources using the harvested credentials.
- Increasing organizations’ exposure to attacks by selling compromised data on the dark web.
- Targeted phishing attacks based on the users’ harvested data.
- Consuming computer power for crypto mining.
- Injecting adware and malvertising to redirect users to malicious websites.
Mitigation: What Can You Do?
Chrome doesn’t automatically uninstall extensions that were unpublished by their developers or that were taken down from the store, even if they are marked as malware. Instead, it’s the users’ responsibility to remove the extension. This makes it all the more important to implement advanced security controls and practices to protect the browser from malicious extensions in the first place.
Best practices include:
-
- Download from Trusted Sources: Only install extensions from official browser extension stores, such as the Chrome Web Store for Google Chrome or the Firefox Add-ons site for Mozilla Firefox.
- See when the Extension was Last Updated: Regular updates are often an indicator of a responsible developer who addresses vulnerabilities and ensures compatibility with the latest browser versions. Outdated extensions may lack critical security patches and may pose a greater risk of exploitation.
- Review the Privacy Practices Section and the Extension’s Website: Legitimate extensions typically provide clear and concise privacy policies detailing how user data is collected, used, and protected. Any lack of such information or vague policies can be red flags, suggesting potential misuse of user data.
- Research the Extension: Extensions with a high number of total downloads, positive reviews, and high ratings are more likely to be legitimate and safe to use. Be cautious of extensions with minimal user engagement, few reviews, or low ratings, as their reliability could be questionable.
- Check Permissions: Be wary if an extension requests unnecessary or excessive permissions that seem unrelated to its functionality.
- Use Security Software: Install reputable antivirus and anti-malware software that can help detect and prevent malicious extensions.
- Be Skeptical: If an extension’s offer seems too good to be true or claims to offer illegal content for free, it’s likely malicious.
- Regularly Review Extensions: Review the extensions you’ve installed and remove any that you no longer use or that you suspect might be malicious.
- Use a Browser Security Platform: A browser security platform like LayerX will scan your workforce’s browsers to discover installed malicious extensions that should be removed. In addition, it will analyze the behavior of existing browser extensions to prevent them from accessing sensitive browser data. Finally, the platform will block adversaries from gaining access to the wide range of credential data that’s stored in your browser, to prevent MFA bypass and potential account takeover
For more details on each mitigation strategy, read the entire report.
Your Next Steps
Malicious extensions are a growing concern for organizations, due to their widespread use albeit limited monitoring capabilities. Malicious browser extensions can harvest sensitive data and enable adversaries to infiltrate organizations, putting the entire organization at risk.
By practicing diligence and employing advanced security practices, the organization can protect itself from this popular attack vector. To try out LayerX, the browser security platform that goes beyond the existing stack and can identify and block malicious extensions’ activity, click here.