Malicious Browser Extensions
Executive summary
Browser extensions, while offering enhanced functionality, pose significant security risks that are often overlooked by users and businesses alike. These extensions can act as silent spies, tracking online activity, altering website content, and even stealing sensitive information through API interception. The security gap is exacerbated by the fact that many extensions require extensive permissions, allowing them to monitor and manipulate user data without detection. Despite these dangers, users frequently install these extensions without fully understanding the implications. Businesses must recognize that they cannot control the browser environment of their users, making it critical to implement robust security measures to protect their web assets. Codesealer addresses this challenge by offering a multi-layered security approach that restricts API access, encrypts communications, and ensures application integrity.
What are browser extensions?
Browser extensions are software add-ons that enhance the functionality of your web browser. They can assist with tasks like note-taking, managing to-do lists, setting up VPNs, and much more. ou can download them from both offical web stores and other unofficial sources. And of course, not all extensions are safe. When you install an extension, you grant it various permissions, such as access to your browsing history and actions. Some extensions are designed with malicious intent, using backdoors to steal information, manipulate your data, or even capture sensitive information from APIs.
How Bad Can They Be?
Did you know that browser extensions can act as silent spies, tracking your every move online? Many extensions request permission to “Read and change all your data on all websites.” Most users don’t fully understand the implications of this. By granting these permissions, you’re giving the extension—and its creators—full access to your browsing activity, including any data you enter on websites. These extensions can also inject ads, modify links, and even alter the content you see. Despite these risks, users often click “Yes” because the extension won’t function without these permissions, making it seem essential.
The dangers extend beyond the initial installation. Over time, the purpose and security of an extension can change. An extension that was once safe might become malicious if the ownership changes and the code is updated with harmful features. Unfortunately, web stores typically do not monitor extensions for unintended or malicious functionality, and the reviews are often moderated by the plugin owners themselves. This creates a significant security gap, making it important for users to be cautious about what they install.
In 2022, an independent security researcher discovered over 34 malicious browser extensions on the Google Web Store, with a combined total of over 87 million downloads. It all started with a PDF Toolbox extension that was a reputable plug-in for PDF conversion with almost 2 million of downloads. The researched found a suspicious script that was accessing extenal server and then loading arbitrary code on all pages viewed by the user. Then, he started checking other extensions in Google Web Store and found even more extensions with similar malicious functionality. These extensions were available for more than 6 months, and the reviews were moderated to keep more people downloading the malware.
Capturing Sensitive Information from APIs
Extensions can also intercept and monitor API requests and responses that happen in the browser. Malicious extensions exploit this capability to capture sensitive data transmitted between websites and servers. Extensions can use APIs like chrome.webRequest
or browser.webRequest
to monitor, intercept, and modify network requests and responses. Also, extensions can access browser storage mechanisms such as cookies, localStorage
, and sessionStorage
, where sensitive information is often stored. For example, a session hijacking attack would happen like this: a user logs into an online banking site, at the same time the malicious extension intercepts the API requests containing session cookies. The attacker can use these session cookies to impersonate the user, gaining unauthorized access to their bank account.
Another example is data exfiltration attack when an extension monitors all API responses from, for instance, a healthcare website. Sensitive medical records or personal health information can be captured and sent to an attacker’s server, violating privacy laws and exposing personal data. Or, consider credential harvesting attacks when a user enters their login credentials on a corporate intranet site. The extension intercepts the API request containing these credentials. Then, credentials are sent to the attacker, leading to unauthorized access to corporate systems and potential data breaches. And, finally, example of data theft attack that happens when an extension monitors form submissions on e-commerce websites, including sensitive information such as credit card details, addresses, and other personal information entered by the user.
Mitigation strategies
Browser extensions can bring a lot of troubles to your web services. You cannot control the user’s browser and the way they interact with your website. Most of the mitigation strategies address end users and instruct them to verify the extension before downloading it, enable it with caution and regularly review the plug-ins they have. However, business owners also need to take actions to protect their web assets against risks coming from malicious extensions. Codesealer solves this problem by offering API access restriction feature. APIs can only be accessed through a valid Codesealer session, ensuring that only authorized sessions can interact with the APIs, thereby preventing browser extension access. By encrypting all API communications, Codesealer conceals valuable information from potential attackers, obscuring API payloads and responses with no code changes to prevent direct access. This encryption creates a secure communication channel that protects the integrity and confidentiality of data as it travels between the client and server.
Codesealer’s multi-layered security approach enhances protection beyond the API level. Our client-side Bootloader ensures application code integrity before execution, preventing unauthorized modifications. Once the application is running, it establishes a secure end-to-end (E2E) tunnel that encrypts all data, rendering it inaccessible to attackers. This comprehensive protection not only guards against API-specific threats but also secures application code and data.
With Codesealer’s advanced security measures, high-profile incidents related to APIs could have been mitigated. Our solution would have shielded many companies from the fallout of data breaches and legal repercussions by maintaining robust API encryption and security.