The web browser is the central platform for online content consumption. In the modern work environment, it’s the gateway to access organizations’ data and applications. Browsers facilitate communication, data sharing, operations, and more.
Popular web browsers, including Chromium-based browsers (Chrome, Edge, Opera, Brave, etc.), Firefox, and Safari, support extensions using WebExtensions or compatible APIs. Extensions offer great value to their users, with essential features such as ad-blocking, password management, and productivity boosters. However, they require broad permissions to modify the browser, its behavior, and the visited websites to deliver these enhancements. Naturally, this level of control and access from third-party actors can pose significant security and privacy threats to the users and their organizations.
Users are exposed to an astronomical number of extensions across browsers, with ~160K public extensions and apps on Chrome’s Web Store alone. Alarmingly, this vast attack surface is far from secure. Many malicious extensions are discovered every year, affecting millions of users worldwide. Unfortunately, such extensions slip through the cracks of web stores’ vetting process. Due to the sheer number of submissions (hundreds of daily updates), extension vetting relies on automatic code analyses, complemented by a manual review for extensions with higher risk. The issues with this limited process are further aggravated by extensions with remotely hosted code, which isn’t available during the review. In addition, even benign and reputable extensions may be turned into malicious instruments as they’re susceptible to vulnerabilities in their code and supply chain.
The dangers of web extensions
The web extension API is extensive, enabling access and control of users’ activity and data on all sites. This access is granted directly through dedicated browser interfaces and indirectly via the configuration of browser settings, the ability to execute code in the context of web pages, etc.
To better understand why these permissions are needed and how they may be exploited, let’s examine some of the most popular features offered by extensions –
- Grammar and spell-checking – many users and organizations opt to improve written communication with spelling and grammar checkers. These extensions request permission to inject scripts that run from the context of the web page to analyze the user’s text, usually by inspecting the input fields or logging the user’s keystrokes by other means. It effectively allows the collection and exfiltration of any information on the web page, including passwords and other sensitive data. Moreover, such permission gives way to potential attacks and theft of corporate assets, as scripts may programmatically execute any action that the user can perform. For example, a script could change user settings and permissions, delete files from the company’s online directories, read chat history, set redirect rules on mailing services, etc.
- Ad-blocking – the most common functionality among Chrome Web Store’s top extensions. Who wouldn’t want to stop ads, improve browsers speeds and increase protection? Alas, blocking ad-related content involves removing elements from the page, requiring the same permissions as spell-checkers. In addition, detection and prevention require intercepting and modifying the user’s web requests. Changing responses allows mounting different attacks, such as disabling security headers (e.g., CSP and HSTS), while access to the requests exposes sensitive data –
- Request payload containing the user’s passwords, credit cards, and other sensitive information.
- Authorization tokens and session cookies, which are usually enough for the impersonation of the user in different services.
- Links that expose proprietary corporate information, physical device location, photos, online orders, and more.
- File format support – some extensions enable opening, modifying, and converting certain file types that aren’t natively supported in the browser. In some cases, they require access to the user’s downloads to save the modified or converted files. Attackers can exploit this API in several ways, such as placing arbitrary files on the user’s machine and clearing their tracks. On top of that, there are extensions that prompt users to provide full access to the filesystem, potentially compromising all stored files.
- Password management – many security-aware users and organizations use extensions to ease the inherent pains of password-based authentication. Some of these extensions offer the ability to copy and paste passwords, requiring permission to monitor and change the user’s clipboard. In addition, they need access to the web page to inspect login forms and read/write the user credentials, and often examine web requests to identify login attempts and track the login lifecycle. These permissions present the same dangers as those described for ad-blockers.
Other features require permissions that display more apparent risks. For example –
- Screen-sharing and video-conference extensions may freely capture the user’s screen and audio.
- VPN extensions direct any portion of the user’s traffic through third-party servers via proxy (sometimes over unencrypted channels), potentially stealing data or even bandwidth.
Shockingly, market leaders from each of the mentioned categories contained vulnerabilities.
It’s important to remember that the dangers don’t always stem from brazenly high-risk permissions. For example, extensions require no special permissions to use the computer’s resources, facilitating the rise of cryptojacking extensions. In addition, malicious extensions may exploit the browser’s undescriptive warnings, which sometimes fail to capture the potential risk. For instance, some extensions hijack users’ searches using permissions that merely prompt a warning that they may read the user’s history. This method can easily be used to mount phishing and other attacks, which can be detrimental to organizations.
Bear in mind that this list by no means exhausts all risky permissions accessible to extensions. Moreover, many extensions demand a mix of permissions, increasing the attack surface and enabling intricate attack vectors.
Chrome and other browsers try to contain the risk from extensions by improving the vetting process and limiting some of their capabilities. For example, Chrome blocked extensions that aren’t served from its store and introduced patches restricting previously available operations, such as an extension’s ability to interfere with other extensions.
One recent shift is Google’s Manifest V3 (MV3). It offers some genuine improvements, like banning remotely hosted code and cross-origin communication in content scripts. However, other changes, such as removing content-aware web request blocking, disable important functionalities (e.g., ad-blockers) without considerably improving security. In any case, MV3 isn’t widespread and is used by as little as 3.5% of the extensions on Chrome’s Web Store. This will gradually shift as Google pushes it on new extensions later this month. Even so, Google won’t force the migration until January 2023, and some browsers don’t plan to adopt it fully.
Web extensions in the wild
Today, Chrome’s Web Store is the most popular marketplace for extensions. It directly serves ~80% of the market through Chrome and most Chromium-based browsers.
An analysis of the extensions in the store revealed that tens of thousands of extensions have access to the worrying permissions we’ve outlined above. To name a few –
- ~44.1% (~70K extensions) can run code in the context of web pages.
- ~31.85% (~50K extensions) have access to the user’s tabs and browsing activity.
- ~6.17% (~10K) can read and change data on all sites.
- ~6% (~9.5K extensions) have direct access to web requests.
- ~1.75% (~3K extensions) can download files and access download activity.
To better understand the reach of these risky permissions, we’ve further explored the user count of extensions using them. While the Chrome Web Store doesn’t supply exact user counts (and caps at 10M users per extension), we can deduce a rough estimate for a lower bound. We’ve found that these permissions affect hundreds of millions of users worldwide. For instance –
- At least 780M users have extensions that can run code in the context of web pages.
- At least 710M users have extensions that have access to the user’s tabs and browsing activity.
- At least 302M users have extensions that can read and change data on all sites.
- At least 441M users have extensions with direct access to web requests.
- At least 106M users have extensions that can download files and access download activity.
Overall, ~62.43% of extensions have permissions to read or change user data and activity. Over a billion users (and their organizations) chose to install them. How reliable are the extension developers? How many of these could be malicious, exploitable, or taken over by malicious actors in the future?
Browser extensions have gained traction as tools to enhance the browsing experience. Unfortunately, as we’ve reviewed, they are worryingly capable of accessing and changing the user’s and the organization’s data, actions, and assets. Alarmingly, much like mobile apps and other plugins, these powerful tools are far from secure, and they can be devastating in the hands of attackers.
Should hundreds of millions of users and organizations feel confident in their decision to put their data and assets in the hands of potentially unreliable third-party actors?
Stay tuned for the next post in the series. We will explore how attackers exploit the described capabilities, how they manage to infiltrate organizations, and how organizations can defend themselves.