Malicious websites can exploit browser extension APIs to execute
code inside the browser and steal sensitive information such as bookmarks,
browsing history, and even user cookies.
The latter, an attacker can use to hijack a user's active login
sessions and access sensitive accounts, such as email inboxes, social media
profiles, or work-related accounts.
Furthermore, the same extension APIs can also be abused to
trigger the download of malicious files and store them on the user device, and
store and retrieve data in an extension's permanent storage, data that can
later be used to track users across the web.
These types of attacks are not theoretical but have been proven
in an academic paper published this month by Dolière Francis Somé, a researcher
with the Université Côte d'Azur and with INRIA, a French researcher institute.
Somé created a tool and tested over 78,000 Chrome, Firefox, and
Opera extensions. Through his efforts, he was able to identify 197 extensions
that exposed internal extension API communication interfaces to web
applications, allowing malicious websites a direct avenue to the data stored
inside a user's browser, data that under normal circumstances only the extension's
own code could have reached (when the proper permissions were obtained).
The French researcher says he was surprised by the results, as
only 15 (7.61%) of the 197 extensions were developer tools, a category of
extensions that usually have full control of what happens in a browser, and
would have been the ones that he expected were easier to exploit.
Around 55 percent of all the vulnerable extensions had fewer
than 1,000 installs, but over 15 percent had over 10,000.
Somé said he notified the browser vendors about his findings
before going public with his work in early January.
"All vendors acknowledged the issues," Somé said.
"Firefox has removed all the reported extensions. Opera has also removed
all the extensions but 2 which can be exploited to trigger downloads."
"Chrome also acknowledged the problem in the reported
extensions. We are still discussing with them on potential actions to take: either
remove or fix the extensions," he said.
The researcher also created a tool that lets users test if their
extensions also contain vulnerable APIs that can be exploited by malicious
websites. The tool is web-based and hosted on this page. To use it, users would
have to copy-paste the content of an extension's manifest.json file.
A page listing various demo videos is available here. More
details about Somé's work are available in a research paper entitled "EmPoWeb: Empowering
Web Applications with Browser Extensions," available for download in a PDF format from here or
here.
It would be highly impractical to list all the vulnerable
extensions in this article. Readers can find the list of vulnerable extensions
in tables at the end of the above-linked research papers.
Tags:
security