The danger of browser extensions

You're probably familiar with browser extensions, something most of us use every day. They add useful functionality, but at the same time, are a threat to both your privacy and security. Let's discuss what's wrong with them and how you can ensure the protection of your devices. First, let's understand exactly what extensions are.

What are browser extensions and why do you need them?

An extension is like a plugin for your browser, that adds certain features to it. Extensions can modify the user interface or add some web service options.

For example, extensions are used to block ads, translate text, or add pages to other note services such as Evernote or Pocket. The extensions are many - there are hundreds or even thousands - for productivity, customization, shopping, gaming, and more.

Almost all popular browsers support extensions - you can find them in Chrome and Chromium, Safari, Opera, Internet Explorer, and Edge. They are widely available and some are quite useful so, many people end up using several of them.

What can go wrong with the extensions?

Malicious extensions

First of all, the extensions can be purely malicious. This is mostly the case with those that come from third-party websites, but sometimes - as in the cases of Android and Google Play - malware infiltrates official shops as well.

For example, researchers recently discovered four extensions in the Google Chrome Web Store that seemed harmless reminder apps, but were actually caught generating profits for their creators by secretly clicking on paid-per-click ads.

How can an extension do something like this? Well, to do anything, an extension requires permissions. The problem is that among the browsers commonly used by people, only Google Chrome asks the user whether they can grant these permissions; others allow extensions to do whatever they want by default, and the user has no choice.

However, even in Chrome this permission management exists only in theory - in practice, it doesn't work. Even the most basic extensions usually require permission to "read and modify all of your data on the sites you visit," which gives them the power to do virtually whatever they want with your information. And if you don't grant that permission, they won't be installed.

We stumbled upon another example of malicious extensions some time ago - they were being used by criminals to spread malware on Facebook Messenger.

Kidnapping and buying extensions 

Browser extensions are an interesting target for criminals, because many have huge user bases. And they are updated automatically - if a user has downloaded a harmless extension, it can be updated to become malicious; this update would be downloaded to the user immediately - he may not even notice it.

A good developer wouldn't do that, but his account could be hijacked and a malicious update made available at the official store on his behalf. This is what happened when criminals used phishing to get access credentials from the developers of a popular plugin called Copyfish. In this case, the plugin, that originally provided visual recognition, was used by criminals to distribute additional ads to users.

Sometimes developers are approached by companies, that offer to buy their extensions for very attractive amounts. Extensions are often difficult to monetize, which is why developers often rush to make these deals. Once the company has purchased the extension, it can update it with malicious features, and this update will be forced on users. For example, this is what happened with Particle, a popular Chrome extension to customize YouTube, that was abandoned by developers. One company bought it and immediately turned it into adware.

Not malicious, but dangerous

Even extensions that are not malicious can be dangerous. The danger appears because most of them have the ability to collect a lot of data about users (remember the permission to "read and modify all your data on websites you visit"). To ensure your livelihood, some developers sell anonymous collected data to third parties. This is usually mentioned in the End User License Agreement (EULA) of the extension.

The problem is that most of the time this data does not become sufficiently anonymous, which leads to serious privacy issues: whoever purchased the data can identify the users of the plugin. This has happened with the Web of Trust - plugin that was once very popular for Chrome, Firefox, Internet Explorer, Opera, Safari and other browsers. The plugin was used to evaluate sites based on popular opinion. In addition, the extension collected the entire browsing history of its users.

A German website claimed that the Web of Trust was selling the collected data to third parties without making it properly anonymous, which caused Mozilla to remove the extension from its store. Then, the creators of the extension removed it from all other browser stores. However, a month later the extension was back. The Web of Trust is not a malicious extension, but it can harm people by exposing their data to someone that shouldn't know what sites users visit and what they do there.

How to use the extensions safely?

Despite the fact that extensions can be dangerous, some of them are really useful, which is why you probably won't want to abandon them completely. I still use at least half a dozen of them, and I'm sure two of them use the "read and modify" permission mentioned above.

It may be safer not to use them, but this is inconvenient, so we need a way to use extensions more or less safely. Here's how:

• Don't install too many. They not only affect the performance of your computer, but are a potential attack vector, so limit their amount to only a few of the most useful.

• Install only from official stores. There, they go through analyses in which security experts filter out those that are malicious, from head to toe.

• Pay attention to the permissions that extensions require. If an extension already installed on your computer asks for a new permission, it should immediately get your attention; something is probably happening. This extension may have been hijacked or sold. And before installing any extension, it's always a good idea to look at the required permissions and reflect whether they match the application's functionality. If you can't find a logical explanation for the permissions, it's probably best not to install it.

• Use a good security solution. Kaspersky Internet Security can detect and neutralize malicious code in browser extensions. Our antivirus solutions use a vast database of malicious extensions that is frequently updated - and we discover new malicious Chrome extensions almost daily.

Reproduced from: https://www.kaspersky.com.br/blog/browser-extensions-security/11948/

Translated from: https://www.perallis.com/news/o-perigo-das-extensoes-de-navegadores