The not-so-dirty secret about web browsers is that browser extensions can be a major security weakness. We last wrote about this issue with malicious extensions in December. But the problem with extensions deserves further treatment, especially as they can combine some very clever supply chain and obfuscation methods to make these kinds of attacks harder to detect and defend.
These extensions are powerful tools: they have the same ability as your user account to obtain read/write access to any data in any browsing session you bring up, which makes exploiting them a big issue. Many extensions don’t require any special permissions to run on your computer or phone.
Some of us just install extensions in the heat of the moment — we come across a web page that requests “for better viewing, install this extension.” That isn’t generally a good idea — instead of clicking on the install link, take a moment to think about what you're doing and see if you can get by without the extension.
How can browser extensions be exploited?
The supply chain issue is a big one. While the SolarWinds supply chain has recently gotten a lot of attention (including from President Biden), there are other ways to infiltrate apps.
This month, security researcher Brian Krebs wrote about outdated browser extensions that have been compromised by cybercriminals. They utilize unused or abandoned extensions as malware spreaders by installing special backdoors in the extensions’ code. These criminals purchase the rights to the extensions or negotiate with the legitimate developer to add their own code to them. In his post, Krebs describes the economics behind one common extension that is used by developers to test their apps and shows that there are many popular extensions which haven’t been updated in years.
Avast’s own Threat Labs published research last December that goes into further detail about the mechanics of the obfuscation employed by evil extensions. They tracked an extension called CacheFlow which piggybacks on top of Google Analytics traffic to hide its network operations in this stream. It also has the benefit of providing detailed usage analytics information to the attackers, too.
Google has long recognized this threat vector, and several years ago, it began to limit the way extensions get installed by users. This “inline installation” (in other words, getting your browser from anyone’s website) has been blocked since 2018. The only legitimate way to obtain extensions is from the Chrome Web Store. On their storefront, Google automatically monitors the extensions, and will send the latest updates automatically, or eliminate the extension when researchers find out it has been compromised.
Ensure the safety of your extensions
Another way to fight back is by using Avast Secure Browser. It is based on the Chrome code and is available for Windows, Mac, Android and iOS devices. It comes with a special extensions guard setting which blocks new extensions from being installed.
You can check and see what extensions you're currently using by clicking on the three-dot column on the top right corner of your browser, selecting 'More Tools' and then 'Extensions'. You’ll need to turn on Developer Mode and see which ones you have installed and also examine the details about each one’s provenance. Then, you can decide whether you should restrict the extension to a specific website or eliminate any of them that you don’t immediately recognize.
Additionally, going forward, you “should be extremely cautious about installing extensions — sticking mainly to those that are actively supported,” as Krebs wrote in his aforementioned post. “And, do not agree to update an extension if it suddenly requests more permissions than a previous version. This should be a giant red flag.”