New Report: Unveiling the Threat of Malicious Browser Extensions

Compromising the browser is a high-return target for adversaries. Browser extensions, which are small software modules that are added to the browser and can enhance browsing experiences, have become a popular browser attack vector. This is because they are widely adopted among users and can easily turn malicious through developer actions or attacks on legitimate extensions.

Recent incidents like DataSpii and the Nigelthorn malware attack have exposed the extent of damage that malicious extensions can inflict. In both cases, users innocently installed extensions that compromised their privacy and security. The underlying issue lies in the permissions granted to extensions. These permissions, often excessive and lacking granularity, allow attackers to exploit them.

What can organizations do to protect themselves from the risks of browser extensions without barring them from use altogether (an act that would be nearly impossible to enforce)?

A new report by LayerX, “Unveiling the Threat of Malicious Browser Extensions” (download here), provides in-depth insights into the malicious browser extensions threat landscape, while offering recommendations for mitigation.

The report dissects the domain of malicious extensions, focusing on several key aspects:

• Types of malicious extensions
• Installation – How malicious extensions gain access to users’ browsers
• What are the indicators of potentially malicious extensions
• The critical permissions that can be misused by malicious extensions
• The browser extension attack vector
• Mitigation methods

Let’s dive into a few of the key findings from the report. The entire report can be found here.

The 3 Types of Malicious Extensions

Malicious extensions can be categorized into three main groups:

1. Initially Malicious Extensions – These are extensions that are purposefully created by malicious actors to cause. These extensions could either be uploaded to web stores or hosted on the attacker’s infrastructure.

2. Compromised Extensions – Initially legitimate extensions that are either directly purchased by adversaries or compromised by the attacker and used for malicious activities.

3. Risky Extensions – These are legitimate extensions that, while not initially created with malicious intent, have excessive permissions that can pose a security risk.

How and Why Extensions Get Installed on the Browser

Malicious extensions can infiltrate a victim’s browser through various methods, each with its own set of security considerations:

1. Admin Installation – Extensions that are centrally distributed by network administrators, often with explicit organizational approval.

The critical security question here is whether these extensions are truly necessary within the corporate network and whether they pose any security risks. It’s essential to carefully evaluate the need for such extensions and their potential impact on network security.

2. Normal Installation – Extensions that users download from official browser stores by visiting an extension’s listing. This approach allows users to make independent choices regarding which extensions to install.

While this offers flexibility, this approach raises the security question of potential risks associated with employees’ choices. Assessing the popularity and security of these extensions among the workforce is vital to maintain a secure browsing environment.

3. Developer Installation – Extensions loaded from employees’ local computers. Since these extensions originate from employees’ workstations, they bypass the usual vetting process for installed software.

It’s crucial to examine the security implications of allowing employees to load unpacked extension files directly from their machines to prevent potential risks.

4. Sideload Installation – This method involves third-party applications, such as Adobe or other software providers, installing extensions. Unfortunately, it is the least secure option, as it can be easily exploited by adversaries to install malicious extensions without the user’s awareness.

Evaluating how these applications interact with browsers and the access and permissions they grant to extensions is essential to mitigate security risks.

LayerX has identified the following distribution of installation types based on its user data. As can be observed, the majority, 81% of extensions, are installed by users downloading from official browser stores.

Indicators of Potentially Malicious Extensions

Given the widespread popularity of users downloading extensions themselves, it’s important to exercise caution and train employees to identify which extensions could be potentially malicious. Some of the main indicators include:

• Address and Email – A missing developer’s contact address or email in the Chrome Web Store listing raises concerns about lack of accountability. It’s essential to know who stands behind the extension.
• Last Updated – The frequency of updates reflects potential security and compatibility risks. Outdated extensions may be more vulnerable to security threats and may not work correctly with the latest browser versions.
• Privacy Policy – The absence of a privacy policy in the Web Store listing could indicate potential issues with how the extension handles user data and privacy. Reliable extensions are transparent about their data practices.
• Rating – User ratings provide insights into an extension’s overall quality and user satisfaction. Higher ratings often indicate a safer and more reliable extension.
• Rating Users – The number of user ratings also matters. More ratings typically mean a larger user base and a lower risk of encountering problems or security issues.
• Support Site – The presence of a support site associated with the extension on the Web Store allows users to seek assistance. A lack of support information can be a red flag.
• Number of Users – Widely used extensions are generally safer choices. A low number of users may impact support and suggest lower reliability.
• Website – The existence of an official website associated with the extension can provide additional information and resources. A lack of a website may signify a lack of transparency or additional documentation.
• Non-Official Stores – If an extension is not available in any official browser store (e.g., Chrome Web Store), it could be a potential risk. Official stores have some level of vetting and security checks.
• Uncommon Install Types – Extensions that use unusual installation methods like side-loading or developer mode should be approached with caution. These methods may bypass security measures and increase the risk of malware.
• Free Promotion – Extensions promoted as free in a way that doesn’t make financial sense, such as being pushed by paid ads, could be a sign of suspicious activity. Consider why an extension is being offered for free and whether it might have hidden motives.

The report itself contains additional information that is a must-read for any security or IT professional to read. This includes risky browser extension permissions to look out for, the browser extension attack vector, mitigation techniques, and more. Cybersecurity is about acknowledging, adapting, and responding to changing threats, and malicious browser extensions demand our attention today.

To read the entire report, click here.