Browser extensions

How Browser Extensions can Exploit User Activities for Malicious Operations

 

What are browser extensions?

Browser extensions are mini-applications that add more features and functionalities to the browser. Some of the most common extensions are ad blockers, password managers, grammar check extensions, screenshot creators, and translators. They allow users to integrate their browsers with their preferred services. 

Upon installation, extensions require permissions such as access to read, edit, and alter data on the websites that the user visits. Permissions that allow extensions to read the user’s browsing history or modify the data that the user copies and pastes is a surefire way to enable the extension to monitor all your activities. However, for well-functioning browser extensions users usually grant such permissions or overlook the extension’s default settings.

Browser extensions Permissions

Most browser extensions offer features that interact with the current web page, such as  password managers that fill in passwords for different websites, or dictionary extensions that provide instant definitions for words. For the same reason, users do not concern themselves with permissions. 

Some extensions require broader permissions. For example, the Web Developer extension for Chrome requires the permission to read and change users’ data on the websites they visit and their browsing history, modify the data that users copy and paste, and change user settings that control the website’s access to features such as cookies, Javascript, plugins, geolocation, microphone, camera, etc.

Browser Extensions Web Developer

If an extension is allowed to access all the web pages that the user visits, the user could be opening the door to malicious attacks. It could function as a keylogger and capture sensitive information, insert advertisements, redirect the search traffic to malicious sites, etc. This doesn’t mean that every extension is malicious, but they can surely be dangerous.

Browser extensions that work statically and don’t connect to external servers are generally safe. Extensions that require a connection to the server to retrieve data are more sensitive because cybercriminals may capitalize on this feature; they can hijack the server or the domain name to further their malicious scheme.

Few extensions may display ads:

Browser Extensions Ads
Extensions are part of a long-running ad-fraud and malvertising network. When Chrome’s add-ons were first announced in 2009, initially most extensions focused only on certain areas, but primarily they were used to block ads. However, currently, those same extensions display advertisements.


Is it safe to let your browser manage passwords?

Internet usage has skyrocketed over the last decade, and today an average user spends 6.5 hours online, on a daily basis. Online services such as  email, social media, online stores, and streaming services are the most popular platforms users spend their time on. However, for convenience, most users save their passwords on browsers to enter the password for that site upon login, automatically. Trying to memorize multiple passwords can be tricky. Therefore, more and more browsers ask users whether they would like the browser to save their credentials. If users enable this option, their passwords are saved and synchronised locally and on other devices that the user has used to login.


Your secure extensions can transform into malware  

In some cases, popular browser extensions that are trusted to be secure are sold to shady organizations or even hijacked. Malicious groups who take charge of such extensions set up updates that can turn seemingly harmless extensions into malware. The compromised extensions connect the browser to a command and control architecture, to exfiltrate sensitive data of unaware users, and expose them to further risks.

 

Underground marketplaces that sell fingerprints

The unauthorized data collected may include sensitive information like login credentials to the user’s online payment portal accounts, e-banking services, file-sharing or social networking websites. It may also steal cookies associated with these accounts, browser user-agent details, and other browser and PC details.

Cybercriminals, very recently, realized the value of unique fingerprints of users, where these digital identities are being sold on underground marketplaces such as the Genesis Store and Russian Market.

Genesis Store operators have developed a .crx plugin for Chromium- based browsers to make it easier to use stolen identities, in any way they want. The plugin installs stolen digital profiles into the cybercriminal’s browser, allowing the actor to activate a doppelgänger of the victim. Then, the attacker only needs to connect to a proxy server with an IP address from the victim’s location to bypass the anti-fraud system’s verification mechanisms, pretending to be a legitimate user.

A snapshot of available Genesis bots:

Genesis Bots


Conclusion

  • Fewer the extensions on your browser, the better. Do not install extensions that raise even the slightest suspicion in your mind. Fewer extensions would only help your browser to be faster. Extensions not only affect your computer’s performance but it can also be a potential attack vector. 
  • Install extensions only from official Web stores. The extensions available in such stores undergo security tests, with security specialists filtering out those that are malicious from head to toe. Even though this does not guarantee safe browsing experience, they are better than the extensions from external sources. 
  • Observe the permissions that extensions require. If an extension that is already installed on your computer requests a new permission, it could be a red flag. There is always the possibility that the extension might’ve been hijacked or sold.
  • Before installing any extension, it’s always a good idea to go through the permissions they require and make sure that they are appropriate for the functionality offered by the extension. If the permissions requested do not seem logical in correspondence to the extension’s functions, it’s probably better not to install that extension at all.