Threat in your browser: what dangers innocent-looking extensions hold for users

Fantastic to see you again @Rmus Your absence is been keenly felt.

 

Hi, Easter, I see you have been busy!

How are you with extensions?

-rich

 

Yes, but that depends on whether you need them or not. Like I said, if you're on Instagram, these extensions are a must if you like to collect pictures and videos, not any different than downloading videos from YouTube. The problem is, unlike with YouTube there aren't any good third party apps that offer Instagram downloading features, so extensions are the best choice.

But anyway, here are a couple of other examples of 2FA extensions that for some reason need or want to collect a whole lot of info about you. They both need to collect passwords and credentials, is this some kind of joke? And they may also collect emails, text messages and chats. How does Google even allow this? Even if these are trusted or recommended extensions, I'd still wouldn't be using them.

https://chrome.google.com/webstore/detail/authenticator/bhghoamapcdpbohphigoooaddinpkbai?hl=en
https://chrome.google.com/webstore/detail/2fa-authenticator-app/gmohoglkppnemohbcgjakmgengkeaphi

 

I don't think anyone could, realistically.

 

ooops, "an" adblocker, disappointed I missed that, I usually don't approve of improper punctuation and spelling.

 

Absolutely. The internet is dangerous and almost unusable without one.

 

It's OK, I'm not the grammar police lol. Grammar's only a convention anyway.

 

BTW, speaking of extensions that you probably don't really need since most Chromium browsers already have a ''hibernate background tabs'' function, I found Session Buddy and OneTab. The latter claims that it doesn't collect any data, but it's not clear if it needs certain permissions. While Session Buddy collects your web history and a whole lot of other stuff. I really don't see why this is necessary and why Google allows this. And keep in mind, millions of users are using these extensions.

https://chrome.google.com/webstore/detail/session-buddy/edacconmaakjimmfgnblocblbcdcpbko?hl=en
https://chrome.google.com/webstore/detail/onetab/chphlpgkkbolifaimnlloiipkdnihall?hl=en

 

Yeah I suspect this is a serious problem with most extensions these days.

 

at first - the google store is responsible for extension security. its checks are very poor in comparison to firefox addons page. so anyone can insert such extensions.

the second - extensions are limited by API - or dont you think that MV3 is best example?

next - chrome and similar have strict site isolation and since 2021 extension isolation. but thats minor.

"life" is the wrong term. it makes working with the used browser in parts more convenient. my life did not change a bit with using extensions. and yes, in special for ad blockers those are highly recommended. but not any crappy ad blocker, there are only few sophisticated. no antivirus can do same, none.

for the given example "2FA Authenticator app" - this is seriously stupid to access a page with 2fa and perform 2fa in same browser. even 2fa on same machine is wrong. but those are basics and any serious bank, whatever similar, will explain it to you. and it also could be questionable to perform 2fa on another device, where social media is present - could go worse.

for chrome it is possible to limit extensions to sites, appreciated.

at least its demand and supply like any market.

 

I have looked it up, but I doubt it will limit the capabilities of extensions to collect data.

https://www.chromestory.com/2021/05/strict-extension-isolation/
https://www.techvisibility.com/2021...ct-extension-isolation-expect-safer-browsing/

No not really, 2FA on the same machine can be secure, it depends on how it's implemented. But I also have my doubts about these 2FA extensions though. But anyway, this is off topic.

 

Google Chrome extension used to steal cryptocurrency, passwords
By Bill Toulas @billtoulas - November 21, 2022

Avast: ViperSoftX: Hiding in System Logs and Spreading VenomSoftX

 

Don't know about pictures, but the command line program yt-dlp has support for downloading videos from Instagram (and more than 1500 other sites).
If you're not comfortable with the command line, there are GUI wrappers as well.

 

Backdoored Chrome extension installed by 200,000 Roblox players
By Ax Sharma @Ax_Sharma - November 23, 2022

 

Thanks, will check it out. But for now I'm using certain websites.

But what I still don't get is that how extensions have access to your browser passwords, how is this possible?

 

https://www.invicti.com/learn/html-injection/

 

I can only repeat what I wrote here: Use recommended add-ons in Firefox. They are not only reviewed once when they receive the recommeded status but also with every new release. Again, this is probably not an absolutely 100% guaranty that the add-on is safe. However, the reviewers are experienced people who know what to look after. I defnitely think that this is the best and easiest way to protect oneself against harmful add-ons.

 

As far as browse extensions go, none can be fully trusted:

https://www.catonetworks.com/blog/t...ail-to-detect-24-malicious-chrome-extensions/

 

Add to my previous posting about browser add-on/extension trust is the apps can and are sold by the original developers; i.e. Extension Rights Acquisition. Such was the case with the popular Decentraleyes app that was sold a while back to another developer of questionable origins with the security community recommendation not to use the app anymore.

 

There is factual substance to this comment.

Here is Mozilla's policy in regards to add-on reviews: https://extensionworkshop.com/documentation/publish/add-on-policies/ . Of note is the requirement that source code must be provided.

Here's a posting from someone ranting about the source code review process: https://discourse.mozilla.org/t/fir...ng-and-firefox-is-a-lost-cause-im-out/98518/2. Of note is this statement:

which is one explanation for the high incident of malicious Chrome extensions.

 

Not that I use Decentraleyes any more (LocalCDN is much better), but I can't find any reference that it has been sold.
Author was and still is Thomas Rientjes (@Synzvato).
But last update was 10 months ago...
https://git.synz.io/Synzvato/decentraleyes.

 

I guess I stated this wrong. Decentraleyes is no longer being updated by the original developer and its been this way for a while. In fact its repository over at Github is now archived. Someone else would have to take over the updating and whomever that was prompted questions being raised about integrity.

 

Krebs has a good article on extensions:

https://krebsonsecurity.com/2021/03/is-your-browser-extension-a-botnet-backdoor/

 

This is also confirmed by this documentation which clearly says:

 

@wat0114 , sorry for the late reply. I had planned to comment earlier but forgot about it. So finally just my 2 or 3 cents:

1. These granular rules are surely feasible if you're using just one add-on (uBO in this case). With many add-ons it would become rather messy, IMO.
2. But the question is: what do you expect to achieve with those rules? Remember that those rules apply to the respective executable (i.e. the browser) and not to the add-on itself. Which means that they will not confine the add-on itself. It will not be able to access any sensitive files/folders on your system - but this is true even without those fine-grained rules as the boundaries defined by the AppArmor profile for Edge also limit what the add-on can do. But they will not prevent the add-on doing anything malicious within the browser (and I think this is what we're discussing here).
3. Those rules will probably prevent that the browser can read/use an add-on which was (unnoticedly) installed by a 3rd-party program. I think that there exist such programs on Windows - but AppArmor is not available on that platform. And on Linux I've never seen or heard about such behaviour - and I'm very sure that no package in the official repositories of a Linux distro will ever do this.

So I question a bit the value added by those fine-grained rules. But perhaps I'm missing the forest for the trees.