From last week’s bombshell of a report about browser extensions leaking data from Fortune 100 organizations to news of data brokers buying extensions, we take a small trip through the articles that have been warning us for years about the dangers of browser extensions. After reading this, let’s be honest, you’ll probably do nothing. But, if you’re alarmed by any of this (and you should be), let us help your organization get a handle on which browser extensions are running in your environment.
Back in 2016, an extension called Web of Trust was found to not only be selling the browsing histories of its users, but also taking no steps to ensure the anonymity of that data. Doubly infuriating to its users, the extension was meant to evaluate the trust and reputation of other parties on the web.
An independent Chrome extension developer had built a useful extension to augment YouTube. The extension grew in popularity and served it’s users well until someone came knocking to buy the extension. The original developer sold the extension and on short order, it was updated with malicious code that sent browsing history back to its new overlords.
Because the extension had an existing install base and brand, the new owners were able to simply push an update to start collecting data. From the users’ perspective, the extension simply asked to be granted more permissions, a warning which most users likely ignored as they clicked “OK.”
If you wanted to publish a malicious, data-collecting, privacy-violating extension, why put in all the hard work of engineering a useful product and marketing it. Instead, just copy an open-source extension, add your malicious code, and republish it with a name that closely resembles extensions that people already trust. People already trust Adblock, so why not call it Adblock Pro. Boom. Pro, because it’s better, of course.
That’s precisely what the developers of several ad blocking extensions did garnering over 20m users in the process.
When Robert Heaton last year discovered that Stylish, an extension he had installed, was making suspicious network requests, he uncovered a data collection operation. Google was quick to take down the extension 2 days after the research was published. However, two weeks later, the extension reappeared on both the Chrome Webstore and Mozilla Add-on store.
Yea, we’ll pass on the new version.
Last month, the Washington Post’s technology columnist Geoff Fowler gave readers some tips on avoiding getting tracked online. Worth echoing from his suggestions are that VPNs do not help! The threat is already on your machine.
What he missed, though, is that it’s not just the Facebook’s and Google’s tracking your browsing history. The extensions on Chrome, Mozilla and other browsers let any independent developer or organization do the same.
In the latest major announcement of data collection and abuse by browser extensions, researcher Sam Jadali outs 8 extensions and an analytics firm for collecting and reselling extremely sensitive information that provides access to everything from tax returns to health records. The breach impacted some of the biggest public companies, regulated industries and even major security software vendors, showing us that this security vulnerability slips past established security organizations.
The extensions in question laid in wait for 3-4 weeks after they were installed before getting the directive to start exfiltrating data. They were discovered only by the happenstance that an independent researcher got suspicious, started monitoring his extensions and left the sandbox running.
If you’ve gotten to the end, let us help. Sign up for Extension Monitor and start getting visibility into the extensions running in your environment and their threats. Join us on the right side of this cat and mouse game as we build ever-evolving methods to detect data exfiltration and other security risks that browser extensions pose.
Keep extension threats top of mind. Sign up to get notified when new posts become available.