Stop Malicious Browser Extensions from Becoming an Attack Vector

by Talon Research
March 9th, 2022

In an earlier post, we explained how Chromium-based browser extensions can be risky and possibly cause data leakage. Targets can include individual users as well as enterprises located anywhere in the world.  

Here we present two cases from the past few months. The first pertains to data-stealing malware, while the other details a popular, unpatched application. 

Malware extensions affect Brazilian banking customers 

The first example refers to the so-called “Chaes” banking trojan that has infected customers of several Brazilian financial entities. Making use of several popular scripting frameworks, in part it uses malicious Chrome extensions to collect users’ login credentials, credit card numbers, and other financial data. 

The malware installation starts when a user visits one of over 800 infected WordPress sites. A pop-up prompts them to run an application that kicks everything off. As it nears completion, it installs a series of malware Chrome extensions.  

Source: The Hacker News

Researchers stated that “Chaes exploits many websites containing CMS WordPress to serve malicious installers… The Google Chrome extensions are able to steal users’ credentials stored in [the browser] and collect [their personal] information from popular banking websites.” 

Skype extension exposed users’ private details 

Remaining a security and privacy risk, Microsoft’s Skype extension for Chrome wasn’t maintained for years and all its functionality was broken. Recently Wladimir Palant, an independent researcher, discovered a privacy bug in the browser plugin that puts millions of users at risk of having their account information leaked. After publicly revealing it on Twitter, he also reported its fix. 

A few hours later, he detailed the story on his blog: 

“One particularly problematic issue allowed every website to trivially learn your identity if you were logged into your Microsoft account, affecting not merely Skype users but also users of Office 365.”  

As Palant’s March 1 disclosure deadline for Microsoft drew nearer, its Skype extension finally got updated on February 24th. 

Conclusion 

Security events can occur accidentally – as with Skype, or by way of malicious extensions that are deliberately spread by bad actors as shown in the Brazilian banking example.  

But security issues related to Chrome extensions aren’t limited to any one specific region or application. Left unchecked, their use can present high risk for any enterprise. Thus, it’s extremely important to manage them well—including having complete visibility of potential extension risks at every enterprise endpoint.  

TalonWork is highly secure, Chromium-based browser that provides the best way to monitor and manage extensions in your organization. It identifies and prevents the installation of malicious/ suspicious extensions that can steal data, tokens, or credentials—as well as those that can surreptitiously perform actions on behalf of users in or outside of your enterprise applications. 

Be the first to know.