What are Malicious Browser Extensions?

Posted by Rob Schnetzer on Tue, Mar, 31, 2020 @ 14:03 PM

Schedule a FREE IT Network Assessment

Browser extensions can be super useful, but there are a few you should avoid. Yes, unfortunately... malicious browser extensions are a thing

An extension is an add-on program for a web browser that offers you further customization and control of your web browsing experience. These days there's an extension for everything (you literally have thousands to choose from). Some are simple and handy, like this one which let's you adjust the appearance of your browser for less strain on the eyes. The password management site LastPass, for example, offers a free extension that brings site's functionality right to your browser's toolbar. Handy tools like these can revolutionize the way you interact with the web, and ultimately make browsing a more pleasant and productive experience. 

 

That said, there are bad actors who create browser extensions with much more nefarious purposes. Correctly configured, a malicious browser extension can collect and relay all sorts of private data from your machine. Now if you're thinking, "yeah but I'm safe because I get all my extensions from reputable sources like Google's Chrome Web Store", then you're in for a shock. Google does not perform a security check on extensions uploaded to it's marketplace. As you might imagine, this makes it extremely easy to publish malicious extension code to the public platform, making it freely available for millions of users. This is not to label all extensions as untrustworthy; just confirm you know the extension's source before you install.

 

Many of the ‘bad applets’ that are uploaded to the extension stores aren’t discovered to be malicious until they’ve had thousands of downloads and in some cases more. Here’s another grim reality: Even if the extension is a legitimate program initially, it can be updated to become malicious. This can happen for many different reasons. A well-known browser extension can be acquired by a company or be abandoned by its creator entirely. In some cases, they can even be hijacked. But no matter the reason, once you’ve given the extension permissions to be on your browser it can be updated at any time and it can change functions to become malicious without your knowledge or consent.

 

In the case of a Google Chrome web developer tool in 2017, their extension was hijacked for only 5-6 hours and injected malicious code that displayed adware in the users’ browsers. If the group responsible for the hijack wasn’t interested in a quick payday, they just as easily could have spread ransomware, or another program designed to collect data without the knowledge of the affected browser users. And this isn’t an isolated incident. In February of 2020 researchers found 500 different browser extensions that were uploading private browsing data to servers and redirecting users to malicious websites laced with viruses.

 

Since then, Google has instituted several new rules that beef up the privacy policy guidelines for submitting browser extensions, and a bounty program that pays out for finding extensions that violate those policies. But that doesn’t change the fact Google still heavily relies on users and developers of legitimate apps to blow the whistle on these corrupt extensions. Even with the added security, it doesn’t make the practice any less lucrative.

 

If you do find yourself wanting to download the latest browser extension, here’s what we suggest:

  1. Try downloading it directly off the developer’s website, instead of the app store.

  2. If you do have to download it from the app store, read the reviews and make sure you’ve got the right app as many of the spoofed apps carry names and icons similar to the original versions.

  3. If you do get an app that doesn’t seem to do what it’s supposed to do, uninstall it from your browser ASAP, then report it to the app store.

  4. Don’t avoid updates to your browser as many of the known exploits that give these extensions their power end up being patched after the creator of the browser finds out about them.

 

Topics: Cybersecurity, Working Remote