The most popular internet browsers, Mozilla Firefox, Safari and Google Chrome support 3rd party developed add-ons that help extend the capability of web browsers and have become increasingly popular amongst users. Browser add-ons can help block annoying advertisements, find online shopping coupons, manage credentials, improve writing and grammar, and much more. Most people wouldn’t think twice about installing an add-on as they typically are downloaded from the browser’s official add-on library or store, given the illusion of being secure and trusted.
Back in May of this year it was discovered that seven malicious extension for Google Chrome were responsible for infecting over 100,000 users, in a short time period of 2 months. These extensions hijacked computing resources to conducting crypto mining, and steal data such as credit cards and credentials entered into the browser. It is a bit surprising that add-ons in the official browser store/gallery can be malicious and infect so many users before being caught and reported by a 3rd party team, however a recent talk given at SecTor 2018 – The Chrome Crusader, demonstrated just how invasive add-ons can be, and how easy they are to make.
In as little as a few lines of code an add-on can be created that makes your browser part of a botnet, steal credentials when logging into websites, and even strip security headers making the browser vulnerable to common vulnerabilities like cross-site scripting.
How can you safeguard against malicious extensions?
Taking matters into your own hands, restrict the installation of browser add-ons in your organization by preventing the installation of any add-ons, or creating a whitelist of approved add-ons after reviewing their permissions and their source. Google Chrome uses a High, Medium and Low risk rating to help you gauge the level of risk a extension is associated with. This rating is based on what data it is accessing such as location, history, installed software on your computer and even credentials entered into websites.
Keep your browsers up to date.
Chrome has taken several steps this year to prevent malicious extensions by banning cryptocurrency mining scripts and disabling inline installation of extensions. Google recently announced major security changes to the browser and the way extensions work. These changes include:
- Creating granular blacklists and whitelists of websites that each extension can access, this can help prevent extensions with high risk permissions from accessing sensitive data from specific websites.
- Code obfuscation is banned, this makes it easier for Google to analyze and detect malicious code.
- 2-Factor authentication is mandated for developers. This is Google’s response to extensions being hijacked through compromised developer accounts.
- More strict review and approval process for extensions and permissions.
- Changes to the extension development process that help improve security mechanisms for developers and users alike.
Mozilla Firefox has also recently updated their Add-on policy that attempts to ensure:
- Add-ons only functions as described
- Developers must provide a non-obfuscated, human-readable version of code for review
- The Add-on only requires permissions it needs to perform it’s described functions
- Strict Monetization guidelines to prevent crypto mining and ad injection
Always be careful when downloading software, this includes browser extensions and mobile applications that are in official download stores. Be sure to review the permissions the application is requesting, compare the permissions with the benefit to determine if the trade-off is worthy, and verify if the developer can be trusted.