Back in July, I wrote about how Google hosts Chrome extensions in an official web store, but hasn’t done an especially great job ensuring all are safe for users. The same is true across other browsers and web stores, as well.
Users should expect some semblance of browser extension security, but clearly we’re not getting that. In the last couple weeks we’ve seen coverage and discussions regarding multiple extensions that are either malicious or quietly gathering user data.
When will browser extensions finally get the same scrutiny that mobile apps do?
Roundup of the latest malicious browser extensions
Here are just the latest examples showing that browser extension security isn’t where it should be.
The biggest recent event involved the MEGA.nz Chrome extension, which got hacked in early September, resulting in the theft of credentials for sites like Amazon and Github. According to an official statement from MEGA, the hacker uploaded a trojaned version of the popular extension as an update that requested higher permissions than before. This meant that unaware users (in the five hours it was live) gave the hacked extension the ability to read and change all the data on websites visited.
In August, 23 Firefox extensions were banned after it was revealed that all snooped on users browsing histories. One of the browser extensions included the Web Security extension—which Mozilla had actually called out as being great for privacy (the company has since scrubbed said positive mentions).
What are some recommendations for better protection?
Hopefully most users don’t blindly trust the browser extension security of Google, Mozilla, and others—and if they do, it’s time to squash that naivety. Users and IT admin need to consider ways to protect themselves (and their organizations), if companies aren't willing to back up add-ons they make available. So, what are some ways to protect both yourself and your company?
For browser extensions, Brian Krebs offers some suggestions and advice following the MEGA.nz hacking:
- Reduce your attack surface by installing extensions sparingly.
- Pay close attention to the permissions that each extension requests. Are they appropriate for what the extension does?
- Be suspicious if an extension suddenly requests additional permissions it didn’t need before.
While talking about permission levels, you need to understand the Chrome permission levels and the risk levels associated with each. Chrome breaks it down between high alert, medium alert, and low alert. Unfortunately, those risk levels can be misleading. High alert only covers the permission for “all data on your computer and the websites you visit” (which seems like a crazy amount of permissibility for an extension), while a medium alert covers “your data on all the websites you visit” and specifically mentions your bank account.
I feel that having just three alert levels could lead some to believe that a medium alert isn’t too worrisome. Permission levels for extensions and web apps need to be revamped to be more similar to mobile app permissions. Both iOS and Android allow users to approve or deny specific permissions, rather than as one lump approval (ask for access to location, then ask for camera access, etc.).
Another issue for users is if an extension gets sold or changes hands. This isn’t new, just a way of life. Once an extension gets mildly popular, developers have said they get inundated with offers to sell. They might not think about the potential repercussions and take the offer. Unfortunately, the new owner could then update the app to inject ads into every user’s browser or something more malicious, and the extension updates automatically without the user understanding what changed. Thankfully, if you use Firefox you can disable auto updates for add-ons like extensions; Chrome doesn’t appear to offer an official way for users to disable updates, unlike apps in the Play Store.
A friend of ours wrote a reasonably popular chrome extension (~70k users). As soon as it started to take off he had offers by scammers to buy the extension. An easy way for scammers to hijack your browser: find an extension with interesting permissions, buy, push an “update”.— Nikolai Hampton (@NikolaiHampton) September 5, 2018
In the enterprise, for Chrome on all major OSes, admins can set Chromium policies for extensions, including disabling them altogether, preventing installation if an extension requests a banned permission, and blocking specific types of extensions (e.g., “theme,” “user_script,” etc.).
There is also enterprise software organizations can purchase that allows admins to manage extensions for users. One example is the newly released Browser Security Plus from ManageEngine. The software allows IT to secure the browser by managing browser extensions and web apps.
We need to demand better security & faster patching
This is happening so frequently (enough that we wanted to revisit it) that tech companies clearly need to get better. It’s become so common to get malicious browser extensions through automatic reviews that it’s actually insulting to users. It’s time that browsers start (or return) to human reviews.
They should also get better at pulling suspicious apps. Often (whether accurate or not) it feels like companies don’t yank known malicious browser extensions or patch something until they start getting bad publicity. One example is that a Safari and Edge spoofing flaw was discovered and though the flaw was responsibly disclosed, Apple still hasn’t patched the issue (Microsoft has), three months later. The recent coverage might finally kick them into gear.
Meanwhile, it’s time for Google to work on cleaning up the Chrome Web Store, like they did with Google Play. Google Play now has Google Play Protect for Android devices, which helps protect and secure apps while still allowing for user flexibility and choice. Browser extensions are popular, but users remain at harm and it feels like no real progress has been done regarding user security and protection.
Mozilla won't block addons that inject advertising - developers have that right and they're not going to take low-life "user" complaints. pic.twitter.com/HuOK1n68YV— SwiftOnSecurity (@SwiftOnSecurity) November 29, 2016
More browsers need to work on improving user friendliness. Back in 2016, SwiftOnSecurity pointed out on Twitter that Mozilla didn’t prevent add-ons from injecting ads. Now Mozilla says developers must be clear to users before downloading the add-on that there are ads and that any ads must be clearly identified. Also, the company announced at the end of August they are working on updates that would prevent users from being tracked by default.
We need more proactive protection measures like that from all browsers and app stores. Users also need to understand that just because a browser extension is in an official store that it could still have flaws or be malicious. But at the same time companies need to do more for browser extension security.