Today, web browsers use dynamic code, interact with users and participate in almost all activities performed on computers: from email to games.
Almost all popular browsers offer extensions that improve user experience in a variety of ways. However, they can be designed not only to block ads, manage passwords, change the appearance of web pages and improve performance, but also to carry out attacks.
A malicious extension is any browser extension that has been specifically designed using code that causes unwanted behavior. Or an extension whose code was compromised by an attacker. In other words, this is one of the ways to secretly track, steal data and user actions.
Despite the fact that malicious extensions are removed from the browser store as soon as they are discovered, it is possible that they can still exist in the hardware devices of the people who downloaded them.
Dangers of browser extensions
The advanced software interface (API) of the web extension provides access to and control of user actions and data on all sites. This access is carried out directly using dedicated browser interfaces and indirectly through the ability to execute code in the context of web pages, configure browser parameters, etc.
To better understand why these permissions are needed and how to use them, consider some of the most popular features that offer extensions:
Ad blocking – the most common feature among extensions. To detect and prevent advertising content, you need to intercept and modify the user's web requests. Changing responses allows you to carry out various attacks, such as disabling security headers (for example, CSP and HSTS), while accessing requests reveals sensitive data.
Grammar and Spell check – extension data asks for permissions to include scripts that run from the context of web pages to analyze users' text, usually to check the input field or register keystrokes. This allows you to effectively collect and delete any data on web pages, including passwords, as well as other accounts. In addition, this permission makes it possible for potential attacks and theft of assets of corporate organizations, since scripts can programmatically perform any user actions.
Support for file formats – some extensions allow you to open, modify, and convert certain types of files that are not supported by the browser. In some cases, they require access to user downloads to save modified or converted files. Attackers can use this API in several ways, such as placing arbitrary files on a user's computer and clearing their traces. There are also extensions that offer users full access to the file system, potentially compromising all saved files.
Password management – many security-conscious users use extensions to ease password-based authentication problems. Some of them provide the ability to copy and enter passwords, requiring permission to monitor and change the user's clipboard. In addition, they need access to a web page to check login forms and read/write user credentials, as well as to check web requests to identify login attempts. These permissions pose the same dangers as those described for ad blockers.
Other features require permissions that show more obvious risks:
- screen sharing and video conferencing extensions are free to capture the user's screen and sound;
- VPN extensions direct any part of user traffic through third-party servers through proxies (sometimes over unencrypted channels), potentially stealing data or even bandwidth;
- privacy protection extensions sometimes require access to user cookies that may contain session IDs and other tokens that would otherwise be hidden from the Javascript runtime.
How do malicious browser extensions work?
There are several ways to turn "healthy" browser extensions into malicious extensions. Sometimes extensions are hijacked by attackers. The next automatic update easily turns them into malware. In addition, the browser extension can be developed from the very beginning by people with malicious intent.
Some malicious browser extensions track the history of pages visited, gain access to the victim's camera and photos, collect personal information such as credentials and confidential data, or break into the victim's email. Others may contain malicious code that allows additional malware to be downloaded to the victim's device.
Individual extensions can manipulate the link that users follow, leading them to phishing sites and ads. In particular, victims are redirected to a hacked URL before being sent back to the website they intended to visit.
Protection against malicious extensions
To protect yourself from fraudulent browser extensions, take the same precautions as when installing third-party applications on your smartphone:
Use the official store. And while it doesn't guarantee full protection, an extension that isn't offered in the official store should be alarming for you at the same hour.
Check the extension publisher. If you are installing an extension that is said to be developed by a large company, make sure you do not install an extension with a similar name created by the attacker. It is also worth remembering that each friendly developer has its own website, where the extension is officially posted.
Check feedback and number of users. Scammers may try to use bots to give the expansion positive ratings. Manually check the number of users and read feedback to see if users are reporting any suspicious behavior. The expansion of a large company should have a large number of users. If it has a small user base, it may be the fact that the extension disguises itself as another extension.
Monitor the behavior of your browser. If your web browser suddenly displays a lot of ads, check which extensions are active. You can then deactivate them and activate them one at a time to identify the problematic extension.
Read the permissions carefully. If an extension asks for permissions that seem far-fetched, it's best to look again at its description. This will allow you to assess whether they match the functionality of the application. For example, a screenshot extension should not require permissions to access a person's email.
Browser extensions simplify our lives, but not all of them are created in the same way, and some do more harm than good. Therefore, caution should be exercised when installing extensions.