We’re witnessing the emergence of a new and significant front in cybercrime as web browsers take on a pivotal role for services and applications, particularly from cloud platforms.
To explore this, we should look at Google Chrome – the most popular browser in the market. Today, Chrome’s architecture dominates the browser space, and a legion of competitors such as Edge, Brave, Opera, and Vivaldi use Chrome for their foundation. This ubiquity makes Chrome the perfect subject to study the browser extension threat landscape.
CRX gets nasty
The Chrome Web Store went live in 2010, enabling users to augment their browsers with first- and third-party extensions. By 2011, the service boasted over 200 million active users and 750 million extension downloads.
Google extensions, also called CRX files, were initially not policed with much care. Even a decade ago, the browser was not as prominent in digital transactions, nor did it have easy access to local machine resources. In those early days, the concerns were about data leakage from the browser, such as stealing login credentials. But, there wasn’t much concern about threats. Today, however, that has changed tremendously.
As is often the case, cybercriminals saw great opportunities where others didn’t notice a significant threat. Malware-infused CRX files started appearing, helped by the fact that – at that stage – users could easily install unvetted third-party extensions. Two examples from this early 2010s era are “I Want This” – CRX malware that injected advertising on webpages – and Theola. This nasty malware used unrestricted permissions to siphon usernames, passwords, and other browser-fed data.
By 2014, Google had begun closing such loopholes by scanning extensions uploaded to the Chrome Web Store, prohibiting ‘silent install’ extensions, limiting native extension installs to the store only, forcibly disabling extensions not associated with the store, and abandoning the antiquated Netscape Plug-in API. These steps worked – Google reported that 10% of scanned extensions turned out to be malicious, and it experienced a 75% reduction in customer requests regarding unwanted extensions.
This gatekeeping closed many avenues to would-be attackers, but when you shut a door, they will try to climb over the wall. Even though browser extension security is better, it’s far from where it needs to be. And considering the growing significance browsers enjoy in the cloud-era, this trend is cause for concern.
Still a serious threat
Google’s efforts are commendable and have made tangible impacts on these threats. Yet, as we all know, cybercriminals can be very persistent and creative. That, coupled with the fact that browser extension security is still not attracting the same urgency as other security concerns, has led to a Pandora’s Box of new threats and attack vectors.
Among the most common attacks is sneaking malware onto the Chrome Web Store. Malicious actors will obfuscate their attacks in the code, making it harder to spot. 2019’s Dataspii outbreak is such an example – this malware was hidden across multiple Chrome and Firefox extensions hosted on their respective extension stores.
A similar tactic employed is to copy or buy legitimate extensions and then infuse them with malware. Both the “Better History” and “Add To Feedly” extensions were once legitimate, but they became dangerous to users after others took control. If the extent of these efforts isn’t impressive enough, in 2017, a vast phishing campaign compromised the accounts of numerous Google Developer accounts, enabling the attackers to release malicious versions of popular extensions. And as an added unwelcome surprise, some extensions could override Chrome’s extension management, helping hide dangerous extensions from removal.
The cherry on top has to be how these attacks involve social engineering. Criminals would call potential victims and convince them to download specific extensions. In Brazil, this happened when in 2017, the “Interface Online” trojan targeted financial managers with fake agents calling and convincing them that it was a legitimate extension from their bank. These extensions resided on the Chrome Web Store and seemed entirely legitimate. It’s clear evidence that attackers will exploit whatever window of opportunity they can get before an extension is flagged as malicious.
Why are dangerous extensions still a challenge, even though Google is actively combating the problem? Antivirus software rarely scans extensions, and even renowned threat information feeds have scant data on these threats.
The Chrome Web Store is possibly the best source of information on what threats are out there, but since it purges those harmful extensions, it limits research possibilities. A different avenue is checking extension stores that clone the Chrome Web Store and tend not to remove those flagged extensions. But such stores don’t collect metadata on what has been flagged as dangerous. Suffice to say, datasets on these threats are threadbare and full of inaccuracies.
Security vendors are starting to pay attention to this. We’ve made progress using deep learning to identify dangerous extensions. But many challenges remain, such as effectively de-obfuscating threats in code, not to mention staying ahead of attackers who keep finding new ways to con users into installing bad extensions.
This situation requires multiple interventions, such as policies to police extensions, user education around extension considerations such as permissions and download sources, and improved detection. Browser extensions are creeping their way into being a favorite of malicious actors. As our reliance on browsers grows, so will this threat.
Most of the above concern Chrome, though Firefox and Safari are also attracting harmful extensions – and criminals are using the same tactics on platforms such as Facebook Messenger to infect machines.
The good news is that extension malware files appear to be relatively few when compared to other forms of malicious files. But this is a brewing storm and one that can’t be left to extension stores. Every security posture must consider the threats extensions can pose.