Understand the Inherent Risk in Browser Extensions

Written by

Over the past three decades, businesses and personal consumers have entrenched themselves deeper into cloud solutions that are accessible through third-party applications. These tools enable organizations and individuals to access their personal and business information while ensuring that backups are stored safely offsite.

However, as the migration to cloud services has increased, so have the mechanisms which enable access to the stored data – and the affiliated vulnerabilities. This has resulted in browser application stores that contain well-intentioned, yet vulnerable, extensions, as well as purposefully developed malware.

One of the most recent examples of this type of vulnerability came when Google purged more than 80 malicious extensions from the Chrome web store, highlighting the inherent dangers of these always-on tools and their ability to exploit personal and organizational systems. The specific collection of Chrome extensions that were removed by Google were collectively known as Droidclub extensions.  

Users would download seemingly legitimate extensions from the Chrome web store – however, once installed, the extensions would sync with a command and control network and become part of a cryptocurrency mining botnet. Additionally, a web analytics library was injected into victims’ browsers and subverted to enable session replay attacks, which would allow for the theft of information such as site usernames and credit card information.

This created a scenario wherein the exploited end user would mine cryptocurrency for the attackers, while providing valuable personally identifiable information that can command high prices on the black market and darknet.

While extensions like the Droidclub suite are created to purposefully subvert the end user, other tools are provided to offer a genuine service. However, sometimes, due to either poor coding or product management, vulnerabilities are inherently resident in these extensions, exposing users to great risk.

Recently, the Grammarly extension garnered community attention for a vulnerability that exposed its authentication tokens to all websites that a user visited. As a result, any website could masquerade as a legitimate user, and gain access to affiliated documents, logs and data.

While this vulnerability held more devastating potential than the Droidclub suite, the difference lay in the intent of the creators.  Once informed of the issue, Grammarly immediately issued an update, protecting its users. Comparatively, the Droidclub creators developed the extensions with malicious intent.

Viewing the field and recognizing the threats, both intentional and otherwise, can cause legitimate concern for the average user, prompting them to wonder what they can do to protect themselves.

The answer may seem underwhelming, yet it is impactful – know the system. Users should never install any type of extension without conducting at least low-level research into the organization providing the capability. Is the company one they trust? Does it have a proven track record of protecting client information? These are questions worth considering before installing a browser extension.

Navigating extension stores can be difficult. Often the right browser extension can enhance corporate and customer access to data, creating efficiencies in both business operations and personal data access. Understanding the inherent risk and carefully researching extensions and their affiliated developers before installing them should become standard operating procedure for all users.

Through careful navigation of these tool offerings, individuals and businesses can better protect themselves from exploitation.

What’s hot on Infosecurity Magazine?