Introduction
Email and the web browser are the two most common routes that hackers use to attack. This fact is not controversial. Yes, a lot of attacks come via a business’s suppliers, but these will most likely have been initiated either via email or the web.
We know this, and most of us have introduced defences to protect against these types of attack. We are suspicious of emails that appear out of the ordinary. We try not to click on web links when we aren’t sure if they are genuine. We run antivirus on our devices in case we visit a website that has something malicious lurking in the background.
But there is an area that is almost universally overlooked, and that has been a significant factor in a large number of security incidents I’ve supported over the years. These are those little browser extensions that we like to install to make life a little easier. You will find a list of the ones installed in your browser today by going to the menu and selecting something like “Extensions” or “Manage Extensions”. Most people are simply not aware that a browser extension can be dangerous.
What harm can a browser extension do?
Depending on the permissions an extension is given it can have huge power over what you do and see in the browser. Just take a look at the list of capabilities offered to developers of extensions for the Chrome browser. The browser presents an interface to the developers that enable them to access pretty much every aspect of your web experience. They can manipulate the content of the page you are viewing. They can record audio and take screenshots. They can hook into the underlying requests that are being made over the web as you interact with a website, including the information you are sending and receiving.
The two most frequent things that I have seen malicious extensions do over the years are:
- Stealing your session cookie. If the hacker steals the session cookie for a website that you are visiting then they can do anything you can do, with all of the permissions you have. It doesn’t matter how strong your password is, or whether you have multi-factor authentication switched on, because with the cookie they are already logged in with you.
- Key logging and screen capture. If the extension has access to the input interface it can see and log every key that you press while interacting with the browser. This includes credit card details, usernames and passwords, and any other sensitive information. The extension can send this captured information in the background to the hacker, and they can sift through it at their leisure. Similarly, there is an interface that enables them to take a screenshot of your display, and they can then use various image processing and AI tools to convert the image back into text based information for exploitation later.
Just to put the first example in simple terms; if you are logged into your email account, your bank or your favourite online shop, and someone has an extension in your browser that has the right permissions then they have access to that account too. Having hijacked your session they can change the password and log you out, giving them full control (unless you have MFA in place). They can transfer money or buy things. The email, bank or shopping service may have security to try to detect this but if the hacker is using your session and is communicating with the service via the extension on your machine then it is almost impossible to detect.
Similarly with key logging, whenever you type in a letter it will be sent to the hacker. Having infected tens of thousands of machines you might think that this will give them an impossible amount of random words to sift through. But with some very basic analysis they will be able to sort the wheat from the chaff. Credit card numbers are an easy thing for a computer to spot within large quantities of data, and then replay with the data before and after so that it includes name, address, expiry and SCC. Usernames are usually email addresses, which can also be spotted, and are followed by the password; by also knowing which website was in the active tab when the keys were being pressed it is fairly easy to identify which site the password relates to.
But I’ve got anti-virus so I’m OK aren’t I? And doesn’t Google prevent malicious extensions from appearing on their Web Store?
These extensions are using approved interfaces in the way they were originally designed. There are many legitimate extensions that also use those interfaces. So unless and until the intent behind a particular extension has been identified as malicious it isn’t possible for you anti-virus to spot the damage that it is doing.
Similarly the quantity of new and updated extensions being submitted to Google (I use Chrome as an example in this article, but other browsers are available) is just too great for them all to be checked for malicious intent. When it becomes apparent that an extension is bad then the browser vendor will take it down, but by then a huge amount of damage may have be done to users.
Well I wouldn’t be so silly to install one of those bad extensions on my machine!!!
Bad people exploit human weakness. We are all suckers for things that make our lives easy. And if we want to make our lives easy we may be in a bit too much of a hurry to do the due diligence. When you last installed an extension how much effort did you put in to check who had published it and the permissions it was asking for?
‘Free’ things that make life easier are the most attractive of all. You might want an extension that blocks pop ups, or adverts. But think about it. Adverts earn money. An extension that blocks adverts isn’t earning money by offering you other adverts (that you are aware of). So if an extension isn’t charging you money, and it isn’t obvious how it is earning revenue in another way, then how is the person who has expended resource and effort to develop and distribute it earning a return? There undoubtedly are some that are honest, honourable and with pure intent. But in general the dictum that “If you aren’t the customer then you are the product” applies in this case too!
So what should I check?
You probably wouldn’t let someone look after your children, or let them into your house to fix the boiler, unless you were satisfied you knew who they were and had a basic level of trust in them. The same applies with extensions, and the level of access you are willing to give an extension should be proportionate to the trust. After all, the level of trust you have in an individual should be proportionate to the level of harm that individual could do. The amount of due diligence you can do is limited; but given the damage that can be done, you should err on the side of confirming you do trust the extension rather than just giving it a cursory glance to see whether it is obviously suspicious.
Who is the publisher?
The authenticity of the publisher is not always obvious. I’ll use as an example the “Microsoft Single Sign On” extension that makes it easier for you to sign into applications using your Microsoft 365 identity1. The details reproduced below caused me some concerns when I was deciding whether to trust it. It says it is offered by “Microsoft”.
Fine, but is this is the Microsoft I know, or someone saying they are Microsoft. It is a little concerning that this “Microsoft” has not identified itself as a trader. When I looked at other extensions offered by Microsoft I found that they called themselves “Microsoft Corporation”, identified as a trader, and provided their Redmond address. Google does offer to verify a publisher is valid under their “Established Publisher” badge; but it would appear that the majority of extensions have not gone through this process (including Microsoft). Without this badge the New York Times cartoon of “On the Internet, nobody knows you’re a dog” applies.
In the end I found enough references to this extension on Microsoft’s own websites to believe it was authentic and I was satisfied that the permissions were fairly minor, but not after causing me some concern and I was very close to not accepting it.
What permissions is it asking for?
Confirming you know and trust the organisation that is providing the extension is one thing, and is important even if you are only allowing it to access your browsing history; after all, do you really want anyone accessing that information. But the difference between access your browsing history and accessing your cookies, keyboard or camera is huge. As the permissions go up you need to decide whether the task really needs the permissions, and whether the benefit you will get from the extension is sufficient to make the risk worthwhile.
For extensions that are already installed you can go to “Manage Extensions” and look at an extension’s details to identify what it can do and where:
The browser vendors do have some controls in place to warn you if an extension is asking for heightened permissions. You can see the warnings that Google will raise here. But I’d counter this with a number of warnings of my own:
- It is ambiguous under what conditions Google (in this case) will offer which sort of warning. So you are relying on their view of risk being identical to yours.
- The lowest permissions can still cause quite a bit of damage. An extension that can “Read and change all your data on all websites” (React Developer Tools) produces no warning at all.
- We are busy and vulnerable people. Relying on a little warning popping up is not the most reliable control.
So what should we be doing?
As an individual our advice would be to be very cautious over what extensions you install. Check the ones that are installed at the moment, and on a regular basis. Cull those that are questionable or that you don’t have a real need for.
As an organisation our advice would be to implement a whitelist policy. We like to treat extensions as an individual choice but they present risk to the organisational resources that the individual has access to. They fall outside of the traditional vulnerability management and anti-virus controls. With the device management controls you may have with Google Workspace and Microsoft 365 you can implement controls on the browser to only allow approved extensions. You can then implement a simple process for a user to request an extension, for it to be reviewed, and if it is acceptable for the extension to be added to the whitelist.
Even these types of controls are limited though, and you need to consider whether a user could access sensitive resources from a personally owned device outside your control. Or if users might be installing and using different browsers that are outside of the policy. For a more robust approach you should consider ensuring all business work can only be access from a managed browser. There are some excellent solutions on the market like the one offered by Island.io (https://www.island.io/).
Whatever you do, treat these extensions with care. The browser is the saloon swing doors between you and the Wild West; the extensions are the bouncers on those doors; do you trust your bouncers to keep the bad guys out?
- Some of the risks to be aware of when “Signing in with” are covered in a different article at: Why you should be very cautious before choosing to “Sign in with” ↩︎