Can a browser extension be cursed?
TL;DR: skip to the conclusions to see what Alice learned.
The Privacy Problem
Mallory was quite tired of his failed attempts to melt Alice’s heart. She defended herself well with VPN and TLS, and she remembered to use a private window as well. But Mallory was also as easy to reverse as an oil tanker, so he decided to plow ahead. His sat-nav kept repeating continue straight, which he interpreted as the universe telling him to continue his pursuit. You may think that taking advice from a sat-nav is stupid, but Mallory did it all the time. It helped him during elections (keep left at the fork), and when he was thinking about becoming a lion tamer (stay in your lane). That last bit of advice would also be useful in regards to his attempts to win Alice over.
Alice and Bob were still practicing a long-distance relationship. Mallory assumed that it was bound to fail. He just needed to know the perfect moment to make his move. In order to do that, he would need to tap into their communications, he thought. Of course, that is immoral and illegal, but he had once read that all’s fair in love and war. And he told himself that nosiness wasn’t actually a vice.
Mallory was not only taking cues from sat-navs and literature. He was also an avid reader of hacking forums. One of them presented him with an idea of how to compromise Alice’s defenses. It was a concept browser extension called the Cursed Chrome. He thought he could craft a similar browser extension, and somehow trick Alice into installing it.
What Browser Extensions Are
Let’s leave Mallory and his evil little project alone for a while, and let’s try to understand the bigger picture. What are browser extensions? How secure are they? How bad can it get if someone with nefarious intent creates a malicious add-on?
Browsers can be customized by installing small modules that extend their functionality. Such modules are called browser extensions or add-ons. The most typical examples are ad blockers, password managers, or editing assistants. Ad blockers are by far the most common and useful kind of browser extension. In order to avoid any risks associated with you having to install one on your own, Opera comes with its own ad blocker.
Another very popular category of extensions is messengers, such as WhatsApp or Facebook Messenger. Once again, Opera has them integrated into its browser. This is done for convenience but also for security. Due to the popularity of those types of extensions, they are also the most frequently attacked. Threat actors often try to publish their own ad blockers that have backdoors and other unwanted functionality.
Browser Extension Security
Browser extensions are useful tools. Like any software, however, they can potentially be exploited by a malicious actor. In order to prevent that, browser developers created the browser extension subsystem, designed to minimize this risk. Browser extensions are only granted limited access based on what is needed for their intended function. Moreover, extensions have to be split into smaller components, most notably the content script and background page.
The most sensitive part of the extension, the content script, has even fewer privileges than a background page. So if an attacker would like to take over all of an extension’s capabilities, they’d have to find separate vulnerabilities in both components. As we see, vulnerabilities in well-intended browser extensions aren’t that easy to exploit.
Before a browser extension is placed in an official store, it undergoes a security review. The review ensures that the extension only does one thing, and that it does not require more privileges than are necessary for that particular function. It also checks compliance with all other policy requirements. In the case of Opera Addons, this includes a manual review of the code.
Of course, security controls can never be perfect. However, you can reasonably assume that a browser extension that comes from a legitimate store is safe. Especially compared to extensions that are hosted independently, which are therefore not subject to the scrutiny of a security review team. Therefore, only use the extensions from the official stores, which are developed by reputable companies.
Malicious Browser Extensions
While some extensions might break your browsing experience and do no further harm, intentionally malicious browser extensions are the ones to be feared. The Cursed Chrome, for example, turns your browser into an attacker’s proxy. This means that Mallory could view the web with your identity, using your credentials. If you are logged into your webmail, he could read all of your correspondence or even write emails in your name. If you are logged into Facebook, he could also open a session and see everything you see – all of Messenger’s history, the private photos that you shared with your closest friends, and even some information you didn’t share.
Will Mallory steal Alice’s money?
Attacks like the Cursed Chrome would not be as effective against most online banks though. Banking sessions are short, and all sensitive operations require second-factor authentication. Most importantly, many banking apps won’t allow a session to be cloned in another tab or another browser. This combination of factors means that, even with a malicious browser extension like this, you are not completely compromised.
In fact, Mallory could only spy when Alice is online, has an open browser, and is logged into a service that doesn’t have mitigation against multi-tab use. On top of this, all of his traffic would have to go through Alice’s laptop. This would make those sessions quite slow, limiting the damage he could do. But still, the threat is real, and quite scary.
Browser Extension Distribution
Browser extensions can be pre-installed in browsers, or manually installed from official stores. From Mallory’s perspective, those channels of distribution aren’t any good. His intentionally malicious extension is unlikely to get past a security review.
Theoretically, he could hack into the infrastructure of a vendor that has an already approved extension in the store. This would have to be an extension that Alice has installed. Then, he could add his malicious code into the legitimate extension and force an update. However, significant changes to browser extensions in the store also trigger a security review. So even if he was able to pull this off, it still wouldn’t be enough.
There’s also the possibility of installing an extension manually. All Mallory would need for that is access to Alice’s unlocked laptop for a couple of minutes. Alternatively, he could try to manipulate Alice into installing it herself. Not an easy feat, but much more doable than hacking into a software vendor’s network.
Conclusions
- A malicious browser extension can potentially read your entire browsing history and send it somewhere. It could take screenshots, read your form data (e.g. passwords, credit card numbers), your keystrokes, or your system’s clipboard.
- It’s possible to create a malicious extension that would turn your browser into someone else’s browser. The attacker could view the web with your access rights.
- Always use an extension from an official store, or those preinstalled by a browser vendor. In order to be accepted by a store, an extension must go through a security review. An extension could be installed manually, but if someone asks you to do that, they are effectively asking you to bypass that security review.
- Never give strangers access to your laptop or phone. Have it automatically lock after some time of inactivity. Exercise caution in public. Don’t let strangers shoulder-surf your PINs or passwords.
- Keep your extension list as short as possible.
- If you do want to use them, choose extensions from trusted sources. Remove extensions you no longer need.
- Private mode disables extensions by default. You can enable them manually, but don’t do it unless you absolutely have to.
Epilogue
There is a whole class of attacks that manipulates users into doing things that are harmful. Mallory could employ this tactic to get his browser extension installed on Alice’s computer.
Stay tuned for the next episode to find out if this is meant to be.