Revealing an Army of Malicious Browser Extensions

December 06, 2023The Hacker NewsBrowser Security / Privacy

Browser compromise is a high return target for adversaries. Browser extensions, which are small software modules that are added to the browser and enhance browsing experiences, have become a popular browser attack vector. This is because it is widely adopted among users and can easily become malicious through developer actions or attacks on legitimate extensions.

Recent incidents like DataSpii and the Nigelthorn The malware attack reveals the extent of the damage that malicious extensions can inflict. In both cases, users innocently installed extensions that compromised their privacy and security. The underlying issue lies in the permissions granted to extensions. These permissions, often excessive and lacking in granularity, allow attackers to exploit them.

What can organizations do to protect themselves from the dangers of browser extensions without preventing them from using them at all (an action that is almost impossible to implement)?

A new LayerX report, “Malicious Browser Extension Threat Revealed” (download here), provides deep insight into the malicious browser extensions threat landscape, while offering recommendations for mitigation.

The report dissects the domain of malicious extensions, focusing on several key aspects:

  • Types of malicious extensions
  • Installation – How malicious extensions gain access to users’ browsers
  • What are the signs of potentially harmful extensions
  • Critical permissions that can be misused by malicious extensions
  • The browser extension attack vector
  • Mitigation methods

Let’s take a look at some of the key findings from the report. the full report can be found here.

The 3 Types of Malicious Extensions

Malicious extensions can be categorized into three main groups:

1. Initially Malicious Extension – These are extensions intentionally created by malicious actors to cause harm. These extensions can be uploaded to web stores or hosted on the attacker’s infrastructure.

2. Compromised Extensions – Initially legitimate extensions purchased directly by adversaries or compromised by the attacker and used for malicious activities.

3. Dangerous Extensions – These are legitimate extensions that, although not initially created with malicious intent, have too much permission to become a security risk.

How and Why Browser Extensions Are Installed

Malicious extensions can infiltrate a victim’s browser through a variety of methods, each with its own set of security considerations:

1. Install Admin – Extensions distributed centrally by network administrators, usually with explicit organizational permission.

The critical security question here is whether these extensions really need to be inside the corporate network and whether they pose any security risks. It is important to carefully evaluate the need for such extensions and their potential impact on network security.

2. Normal Installation – Extensions that users download from official browser stores by visiting the list of an extension. This approach allows users to make independent choices about which extensions to install.

While it offers flexibility, this approach raises the security question of potential risks associated with employees’ options. Evaluating the popularity and security of these worker extensions is important to maintain a safe browsing environment.

3. Install the Developer – Extensions loaded from employees’ local computers. Because these extensions originate from employees’ workstations, they bypass the usual vetting process for installed software.

It is important to review the security implications of allowing employees to load unpacked extension files directly from their machines to prevent potential risks.

4. Sideload Installation – This method includes third-party applications, such as Adobe or other software providers, installing extensions. Unfortunately, this is the least secure option, as it can easily be exploited by adversaries to install malicious extensions without the user’s knowledge.

Evaluating how these applications interact with browsers and the access and permissions they grant to extensions is essential to reducing security risks.

LayerX identifies the following distribution of installation types based on its user data. As can be observed, the majority, 81% of extensions, are installed by users who download from official browser stores.

Signs of Potentially Malicious Extensions

Due to the widespread popularity of users downloading extensions themselves, it is important to be careful and train employees to know which extensions are potentially harmful. Some of the main indicators include:

  • Address and Emaill – The developer’s missing contact address or email in the Chrome Web Store listing raises concerns about a lack of accountability. It is important to know who stands behind the extension.
  • Last Updated – The frequency of updates indicates potential security and compatibility risks. Outdated extensions may be more vulnerable to security threats and may not work properly with the latest browser versions.
  • Privacy Policy – The absence of a privacy policy in the Web Store listing may indicate potential issues with how the extension handles user data and privacy. Trusted extensions are transparent about their data practices.
  • Rating – User ratings provide insights into an extension’s overall quality and user satisfaction. Higher ratings usually indicate a safer and more reliable extension.
  • Rating Users – The number of user ratings is also important. More ratings usually mean a larger user base and a lower risk of encountering problems or security issues.
  • Support Site – The presence of a support site associated with the Web Store extension allows users to seek help. Lack of support information can be a red flag.
  • Number of Users – Widely used extensions are generally safer options. A small number of users may affect support and suggest lower reliability.
  • Website – The existence of an official website related to the extension can provide additional information and resources. The lack of a website can mean a lack of transparency or additional documentation.
  • Unofficial Stores – If an extension is not available in any official browser store (for example, Chrome Web Store), it can be a potential risk. Official stores have some level of vetting and security checks.
  • Unique Types of Installations – Extensions that use unusual installation methods such as side-loading or developer mode should be approached with caution. These methods can bypass security measures and increase the risk of malware.
  • Free Promotion – Extensions that are promoted for free in a way that doesn’t make financial sense, such as pushing paid ads, can be a sign of suspicious activity. Consider why an extension is offered for free and if it has ulterior motives.

The report itself contains additional information that is a must read for any security or IT professional to read. This includes dangerous browser extension permissions to view, the browser extension attack vector, mitigation methods, and more. Cybersecurity is about identifying, adapting, and responding to changing threats, and malicious browser extensions demand our attention today.

To read the full report, click here.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment