Most of us have learned to be wary of unknown apps or emails with suspicious links. However, our digital vigilance doesn’t always extend to another critical threat — browser extensions. This handy little tool sits alongside the address bar in your browser, makes it easy to save passwords, pin pictures and integrates your browser with other services you use. Yet browser extensions have, and continue to be, a threat to our cybersecurity. This article, which gives an overview of the browser extensions and the problems they present, is the first in a series of four articles on Chrome Extension malware.
Before we get into the threats, a bit of background on how browser extensions came to be such a ubiquitous part of our digital lives. Browsers started off as simple software that displayed websites. As they grew and developed into the multifunctional software we know today, they had to add the capacity to support advanced abilities and features. Rather than slow down their performance by building the capacity to support a wide range of features internally, browser extensions were introduced.
According to Google’s official statement, “Extensions are small software programs that customize the browsing experience. They enable users to tailor Chrome [browser] functionality and behavior to individual needs or preferences. An extension must fulfill a single purpose that is narrowly defined and easy to understand. A single extension can include multiple components and a range of functionality, as long as everything contributes towards a common purpose.” In other words, extensions allow users to pick and choose additional features and functionalities and add them to a basic browser without slowing the browser performance.
From a security perspective, however, browser extensions posed a challenge. Although limited to the browser environment, they are simple to install, and do not require high privileges, or have a digital certificate. In addition, the continuing shift towards web and cloud-based products means that browser extensions increasingly handle and are being exposed to sensitive data, making them a highly-attractive attack surface for threat actors. Cisco’s 2016 annual security report found that 85% of the organizations sampled in their study were affected by malicious browser extensions.
Chrome extensions (CRX) are available to users through the Chrome Web Store. Before being published in the store, they do go through a vetting process that includes static and dynamic analysis, as well as safe browsing checks on the examined file. According to Google, 10% of the extensions examined were detected as malicious in the first three years of using this evaluation process.
Google’s gatekeeping efforts, covered in further detail in the next article in the series, have limited the ability of attackers and threat actors to use Chrome extensions as malware. However, like in the Google Play Store, they are not foolproof. Malicious extensions can and do still find their way into the Chrome Web Store and from there, into the victim’s browsers. For example, in July 2019, CamScanner had 100 million downloads before it was detected and removed from the Chrome store. The app which allows users to digitize paper documents, and then auto-crop and enhance image quality, enjoyed great popularity for the niche nature of its value. However, it was identified as being used to inject malware on the phones of millions of users before Google removed the app from the Play Store.
Security solutions and the SOC teams that manage them offer limited security coverage, this is largely due to a mindset that considers browser extension malware as a low-priority threat. The threat landscape for extensions malware begs for a different approach to effectively prevent malicious CRXs from breaching the organization’s security surface. It the next blog in the series we address the growth of Chrome extension malware and its expanding threat landscape.
To learn more about Chrome Extension Malware Read the Whitepaper