Threat in your browser: what dangers innocent-looking extensions hold for users

August 16, 2022

 

Malicious Browser Extensions Targeted Over a Million Users So Far This Year
August 17, 2022

 

Malicious Google Chrome extensions affect 1.4 million users
McAfee identified five malicious extensions that you should avoid, including Netflix Party.
by Sabrina Ortiz, Associate Editor - August 31, 2022

McAfee: Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users

 

You see, this is what I'm talking about. It's the time that browser developers are hold accountable, because why on earth should extensions need so many permissions, how the heck could this extension modify cookies? So a more strict ''extensions sandbox'' should be developed and of course also a more thorough check for malicious extenions, because this stuff should never end up on extensions stores in the first place.

 

100% with that opinion. No way on earth that hostile extensions should even find their place for download especially from that Chrome source.

 

It would be nice to see better isolation between extensions and the browser, as long as it doesn't break the extension's functionality. Maybe that's not easily achieved. It's why I severely limit the number of extensions I use (currently only uBlockO) and use only well known reputable ones, which of course uBlock is, and even it to work properly requires Write permission to several locations.

 

Seems it's very difficult to spot these malicious extensions in a timely manner, and what's even worse is that legit extensions can sometimes be modified when the author sells it to some shady company, so extensions need to be inspected with every new version.

Yes, I mean it must be possible to limit damage that extensions can do, perhaps there need to be more granular control, because now it's basically an ''all or nothing'' approach. Do extensions really need to connect out, or have access to cookies, or have access to passwords, know what I mean?

I also try to limit my extensions, but I'm using a couple of ones that are not that widely used, and as mentioned above, at any given time the extension can be modified to perform malicious stuff, without users even noticing things. An extensions sandbox seems to be the only solution.

 

A good way to get around malicious add-ons is using recommended add-ons in Firefox whenever possible. I guess that's not a 100% guaranty that no malicious add-on can slip through the cracks but the likelihood should be much smaller. There is no equivalent for Chromium-based browsers, AFAIK.

 

I think we all agree about needing better, and stronger, isolation between extensions and browsers.
But this is a them, and not us problem :- "as long as it doesn't break the extension's functionality"
I say, so what if it does.
We are all also aware that most of these extensions, and most other apps, require much more access than is necessary to perform their minuscule little task.
Send it back to the developers telling them to change and improve their coding if they want to make their app available from "trusted sources for downloading software".

 

Then many extensions, even popular ones, will probably cease to exist.

There are probably hundreds of extensions poorly coded, with more browser access than is required just like the ones mentioned in the article, so yes I agree these could be fired back to their developers for improved coding for better efficiency and/or to remove unnecessary access to certain areas of the browser, but I'm only speculating of course. We all know of an incredibly popular extension developed by a highly reputable developer: uBlock Origin. In a Linux Debian-based distribution for Edge browser, these are locations it requires access to, most are Read/Write, in a fairly granular Apparmor profile I finalized earlier this year:

Code:

 owner "/home/*/.config/microsoft-edge/Default/Local Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/" rw,
  owner "/home/*/.config/microsoft-edge/Default/Local Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/*.dbtmp" rw,
  owner "/home/*/.config/microsoft-edge/Default/Local Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/*.ldb" rw,
  owner "/home/*/.config/microsoft-edge/Default/Local Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/*.log" rw,
  owner "/home/*/.config/microsoft-edge/Default/Local Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/*.old" rw,
  owner "/home/*/.config/microsoft-edge/Default/Local Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/CURRENT" rw,
  owner "/home/*/.config/microsoft-edge/Default/Local Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/LOCK" rwk,
  owner "/home/*/.config/microsoft-edge/Default/Local Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/LOG" rw,
  owner "/home/*/.config/microsoft-edge/Default/Local Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/MANIFEST-*" ra,
  owner "/home/*/.config/microsoft-edge/Default/Local Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/MANIFEST-*" rw,
  owner "/home/*/.config/microsoft-edge/Default/Local Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/lost/" rw,
  owner "/home/*/.config/microsoft-edge/Default/Managed Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/*.log" rw,
  owner "/home/*/.config/microsoft-edge/Default/Managed Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/*.old" rw,
  owner "/home/*/.config/microsoft-edge/Default/Managed Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/CURRENT" r,
  owner "/home/*/.config/microsoft-edge/Default/Managed Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/LOCK" rwk,
  owner "/home/*/.config/microsoft-edge/Default/Managed Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/LOG" rw,
  owner "/home/*/.config/microsoft-edge/Default/Managed Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/MANIFEST-*" ra,
  owner "/home/*/.config/microsoft-edge/Default/Sync App Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/" rw,
  owner "/home/*/.config/microsoft-edge/Default/Sync Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/" rw,
  owner "/home/*/.config/microsoft-edge/Webstore Downloads/cjpalhdlnbpafiamejdnhcphjbkeiagm_*.crx" rw,
  owner /home/*/.config/microsoft-edge/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm** rw,

Is this browser interaction unreasonable? I know it's Linux but I'd say the requirements for Windows are likely similar, just that there will be some differences in the directory naming. My guess is the developer (a very talented one at that) did everything possible to code it as efficiently as possible without sacrificing the extension's functionality, and if he reduces the browser access for it, it will break its functionality, at least partly, which is probably not a good thing for an extension that makes browsing the web so much more pleasant than without it.

 

Browser extensions: more dangerous than you think
Using the most common families of malicious extensions as an example, we explain what can go wrong after installing a browser plug-in.
By Anastasia Starikova - September 9, 2022

 

Obviously, an extension's functionality should never break. But this is a good example of stuff that isn't needed in order for some extension to download pictures and videos from Instagram. How is stuff even't allowed by Google? Why should it be able to track location and monitor keystrokes, clicks and network activity? And people also seem to complain that it changes the search engine.

https://chrome.google.com/webstore/...der-fo/kggfegclemhiainkddbhhgobheohnjha?hl=en

 

Some of what I noticed from the article in mood's last post:

**Underlining added by me.

Besides downloading pirated and hacked software which results in them asking for trouble, why are people even downloading sketchy and gimmicky extensions to download music, videos and pictures in the first place?? Along with what I quoted, most people should know better. I mostly blame the end user for these malicious extensions ending up on their devices.

The simple yet so far effective criteria I use with regards to browser extensions:

1. Severely limit their number
2. Install something useful, such as an ad blocker
3. Install only from well known developers with a stellar history (IE: gorhill)

 

Well, at this point I'm starting to blame browser developers. Did you take a look at the Video & Photo Downloader For IG extension? You can't blame users for downloading such an extension, but why is it allowed to invade privacy like this? Its only job is to download pictures and videos, you really don't need all of these permissions for this, but Google allows it. And who knows how many of these shady extensions are present on the Chrome webstore.

 

.. and - as mentioned earlier - install "recommended" add-ons in Firefox which "are curated extensions that meet the highest standards of security, functionality, and user experience. Firefox staff thoroughly evaluate each extension before it receives Recommended status. ... Before an extension receives Recommended status, it undergoes rigorous technical review by staff security experts." This applies to every update of those add-ons. I think this is probably the easiest and most reliable way to stay safe if it comes to installing add-ons.

 

Absolutely, and my point #3, which I should have clarified, was meant to imply this as well.

Yes briefly, it looks gimmicky.

 

Not sure what you mean with gimmicky, but I'm sure you are agreeing with me that it really doesn't need all of these permissions. Actually, I just took a look at the permissions that all of my installed extensions on Vivaldi need, and I also have my doubts about it. Why do they need access to my browser history? Like I said, browser developers should step up and develop some kind of ''extensions sandboxing'' module, similar to how they hardened the browsers with tab sandboxing.

 

Of course, I agree with you there. By gimmicky I just mean they look like silly and unnecessary extensions.

Access to browser history makes no sense to me.

EDIT

Actually uBlock Origin requires this same permission, so given the trustworthiness of its developer, I'd say there must be a good reason for it.

Well I thought MV3 was supposed to address security concerns with extensions by preventing them to host remote code and access to user's sensitive data?

 

As one who as never installed a browser extension, I ask, Do extensions really make your life easier?

-rich

 

Hello Rich,

nice to see a post from you after more than a year To answer your question, Unfortunately, it doesn't make my life easier, but the one extension I use, ublock Origin, does make browsing the Internet far more pleasant for me

 

No that's what I'm trying to explain, it's not silly at all. They give the ability to download pictures and videos from Instagram, very handy and many people use these kind of extensions.

I also wonder why uBlock needs access to browser history, to be honest. I don't see what this has to do with filtering ads and trackers. But what's also silly is that with a lot of extensions you will read that the developer has disclosed that it won't collect or use your data, but how do we know this for sure? We should just take their word for it, or what?

I guess I need to read more about MV3, but if it seriously limits uBlock, I can't be a supporter. There must be another way to limit threats from extensions, and this feels like Google is using it as an excuse to cripple adblockers.

 

I only use 3 extensions and they absolutely make my life easier, an adblocker, a password manager and a extension to make fonts darker. I would not go on the internet without and adblocker.

 

Going on the recommendations to limit extension use as much as possible, I consider this type of "facillitator" extensions for pictures, music and videos to be unnecessary. Just my opinion, that's all.

I think MV3 is going to severely limit all types of exetnsions. All we can do is deal with it as we see fit. In it's current, very early experimental form, uBlockO Lite is doing not too badly at blocking ads in my usage. I don't know about the AdGuard extension, as I only tried it once a few weeks back.

 

That sounds like a good reason!

Thanks,

-rich

 

Understood.

Thanks for the explanation.

-rich