The Hidden Dangers of Browser Extensions: Where Google’s MV3 Still Fall Short
A recent Forbes article by Davey Winder discussed a brilliant publication by Stanford researchers Sheryl Hsu, Manda Tran and Aurore Fass. It was discovered nearly 350 million Chrome extensions installed had privacy violations, vulnerable code or contained malware. Many hoped that Google Chrome’s new Manifest V3 standard would be the solution to extension based vulnerabilities. Yet, released at Defcon32 this year, our research showed that MV3 compliant extensions can still silently add GitHub repo collaborators, mirror Zoom/Google Meet video feeds and steal user credentials/data relatively easily.
Surprisingly, many of these suspicious extensions are Chrome featured, a stamp of approval that many users, and often security teams, use as an indication of legitimacy and safety of browser extensions. While Google does its best to vet these technologies, there are over 100,000 active extensions on Chrome Store, making it impossible to keep track of all updates. On average, it takes 380 days for extensions with malware to be taken down from the Chrome Store.
Attackers exploit this fact by compromising or purchasing the rights to benign, popular extensions and turn them into malicious extensions, without users being aware of updates. One such case study is seen in the PDF Toolbox and Autoskip of YouTube malicious extensions uncovered by Palant. With 2 and 9 million downloads each, these seemingly benign extensions enter adware links into search bars against the user’s will.
This is just one way that extensions can exploit users. Five common browser extension based attacks include:
- Data Exfiltration
Attackers can collect rich data on user behaviour, selling them to companies and targeted ad providers. More targeted attacks can involve using extensions as spyware to read confidential information such as intellectual property, emails and other sensitive information. For companies, such data breaches can lead to expensive class action lawsuits, damage to brand reputation and loss of competitive edge for IP-sensitive companies.
2. Credential stealing
Extensions can gain access to PII such as credit card numbers and social security numbers, as well as gain access to banking and social media accounts. More advanced attackers can even silently add a collaborator to a developer’s GitHub repo, taking their code repo as hostage for ransomware. Since the White House banned most ransom payments in 2023, this poses a huge dilemma when platforms and resources critical to business are being held up by ransomware.
3. Adware & misinformation spreading
Attackers often use extensions to redirect users to ad pages or embed ads into websites without the user knowing. This not only significantly impairs the user’s productivity and experience by slowing down the browser, but may lead to subsequent infection with spyware/ransomware. A similar technique can also be used to display fake search results and spread false information.
4. Cryptojacking
One of the simplest ways to steal cryptocurrency involves injecting the attacker’s wallet address into the recipient field just as the user hits the transfer button, redirecting any currency flow to the attacker’s account. This could lead to significant personal financial loss and reputational damage for crypto exchanges.
5. Malware spreading
Through extensions, attackers can initiate malware downloads without the user’s permission. Smarter attackers can even trigger these downloads when users are on trusted sites (e.g. Zoom, Salesforce) and mask them as software updates to minimise suspicion.
This got me curious about how easy it is to purchase the rights to a Chrome featured extension. Hence, posing as an EdTech founder, I approached the authors of several translation extensions to see if they were willing to sell their extensions to me. I focused on those that had not updated their extension in at least 12 months but had at least 10,000 downloads on Chrome store. It turns out, once a price is agreed upon, all it took was for the author to hand over the credentials to their Chrome account, which would give me completely free access to the extension’s code repo.
If getting access to extensions already installed on millions of devices was indeed as simple as a price negotiation, there is a huge dissonance with the risk management of browser extensions. Speaking to over a dozen security experts, it is evident that most security teams whitelist extensions once do not have an active monitoring strategy for browser extensions. Even if they do, whitelists are reviewed on a 1–3 year basis, with no way of knowing when a benign extension becomes malicious.
In this case, how can one protect oneself against malicious browser extensions? Here are a couple of best practices:
- Read, read, read — read reviews, especially negative ones, thoroughly. Do this even for Chrome featured and popular extensions. Index on more recent reviews.
- Check when the extension was last updated — generally, the longer a software goes without an update, the more likely it is unmanaged and vulnerable to attacks. While there is no magic number, I generally get nervous when installing extensions with no updates in more than 3–6 months.
- Chuck it — uninstall or disable extensions when you don’t need it. I know it is a bit of extra work, but generally the less on, the safer.
- Have runtime control — the best way to guarantee extension safety is to use a tool that automatically disables and/or alerts you whenever an extension turns malicious, is updated or goes too long without being updated (depending on your risk appetite).
The Hidden Dangers of Browser Extensions: Where Google’s MV3 Still Fall Short was originally published in SquareX Labs on Medium, where people are continuing the conversation by highlighting and responding to this story.
*** This is a Security Bloggers Network syndicated blog from SquareX Labs - Medium authored by Audrey Adeline. Read the original post at: https://labs.sqrx.com/the-hidden-dangers-of-browser-extensions-where-googles-mv3-still-fall-short-6df84dc6c09b?source=rss----f5a55541436d---4
