A Trojan Horse: Protecting Yourself from Malicious Browser Extensions

A Trojan Horse: Protecting Yourself from Malicious Browser Extensions

By Hen Porcilan

April 7, 2021

Hundreds and even thousands of popular browser extensions are available that support a variety of useful functions, from ad blocking and cookie management to text translation, grammar correction, and password management. Most users are accustomed to using these extensions for a wide range of both personal and work-related activities. But sometimes browser extensions do more than they claim to do.

Unfortunately, the browser extension platform can be a “Trojan Horse” used to conduct attacks such as phishing, spying, DDoS, email spamming, affiliate fraud, mal-advertising, payment fraud, and more.

For example, researchers at security firm Avast recently identified 28 malicious third-party browser extensions that are used with Google Chrome and Microsoft Edge – for Instagram, Facebook, Vimeo and others. These extensions spread additional malware, steal information, and manipulate the victim’s search results – and they already have been downloaded about 3 million times.


How Malicious Browser Extensions Work

There are several ways “healthy” browser extensions can turn into malicious extensions. Sometimes, the extensions are hijacked by malicious actors. The next time the extensions are automatically updated, they easily are turned into malware . Alternatively, the browser extension can be developed from the get-go by people with malicious intent.

Some malicious browser extensions track browsing histories, obtain access to a victim’s camera and photos, collect personal information like credentials, or get into the victim’s email or other sensitive data. Others may contain malicious code that allows the download of additional malware to the victim’s device.

Some can manipulate the link that victims of browser extensions click on – leading them to phishing sites and ads. (Phishing has been one of the top methods of attack throughout the COVID-19 pandemic – you can read more here.) Specifically, victims are redirected to a hijacked URL before being sent back to the website they intended to visit.


Best Practices for Managing Browser Extensions

Protecting organizations from malicious browser extensions is a key IT management process that can be broached from several different angles. 

The first step in the process involves conducting an audit – identifying which extensions each employee uses. You can use an extension report API to export extensions data and map out all extensions used in the company. For example, Google Chrome offers the app Chrome Browser Cloud Management for this purpose.

The second step involves limiting which extensions are used across the organization. You can decide to block browser extensions or force an uninstall. Identifying which extensions to remove can be done in a variety of ways, for example:

  • Using blacklists and whitelists, i.e., names of extensions that are permitted or forbidden
  • Reviewing and evaluating extensions by permissions or behaviors, i.e., allowing extensions with read-only behaviors, for instance – but not those with access to the employee’s camera or other sensitive capabilities
  • Implementing “block by runtime host,” i.e., not allowing extensions that can access certain kinds of information, such as the sensitive client data, during runtime

(You can read more in this guide by Google or watch this webinar).

Finally, the most significant of the “Best Practices” involves raising awareness by training your employees.


How to Train Your Employees to Minimize Your Risk

While it’s hard to eliminate the risk of malicious browser extensions completely, here are four ways that employees in your organization can be trained to adapt their use of browser extensions and help you reduce the risk:

  • Reduce the number of extensions. Limit how many extensions employees keep installed on their devices. An extension that is rarely used should be uninstalled.
  • Identify the source. Encourage employees to install extensions only from the official extensions store – for example, for Chrome,
    https://chrome.google.com/webstore/category/extensions) – because they do some basic verifications. This does not make you 100% safe, but it is a first step. In the store, employees should choose only extensions developed by companies that are trustworthy. Extensions created by big name companies are less likely to be problematic than those provided by small businesses or unknown individuals. (But beware of spoofed names –
    such as gOgle instead of Google.)
  • Notice the permissions. Employees should be aware that some browser extensions demand more in the way of permissions than others do. There are two levels of permissions: website permissions, and device permissions. In theory – but only in theory – an extension that modifies a single website should not require access to anything else on a device. But this advice is of limited practical use, as there are many legitimate extensions that require extensive permissions.
  • Use extensions that improve privacy. Ironically, browser extensions themselves can be part of the solution. See this TechCrunch article about 6 extensions designed to improve online privacy.

Particularly with many employees working from home, training and awareness is key in allowing an organization to stay safe.

Want to learn more about how to protect your organization from cyber threats? Contact CyberProof today!

Hen Porcilan
Written by Hen Porcilan

Hen Porcilan is a Senior Security Analyst at CyberProof. Prior to working at CyberProof, he was a cyber security analyst for Bank Leumi. Hen has an MBA and a bachelor’s degree in Computer Science from the College of Management Academic Studies. As part of his academic studies, Hen was part of a group of researchers that explored approaches to protecting users from PRMitM and published, “The Password Reset MitM Attack” Gelernter et al., IEEE Security and Privacy 2017. The research established that password-reset processes on many popular sites are vulnerable, designed processes for password reset that offer better protection – and evaluated each process using real Google and Facebook users with excellent results.