Today, all modern browsers such as Chrome, Edge, Firefox, and Safari provide third-party developers the ability to enhance default functionality by writing custom code in the form of browser extensions. These browser plugins are not standard executables, but “apps” comprised of HTML, Style Sheets and Java Script code that runs inside browser memory. Once hooked into a browser, these plugins can use browser memory structures and resources to offer useful functionality.
One problem, however, is that browser extensions act like apps, but unlike web applications, they aren’t bound by the Same Origin Policy (SOP). The SOP prevents web applications from accessing data from other web applications unless mechanisms such as Cross-Origin Resource Sharing (CORS) are implemented on both applications. Browser extensions are not bound by this restriction, so they can read and write data. They can access user information such as bookmarks, browsing history, and – you guessed it – cookies (or user credentials).
In a study by Université Côte d’Azur, researcher Dolière Francis Somé analyzed 78,315 Chrome, Firefox, and Opera extensions that used the WebExtensions API, and found that 197 extensions were vulnerable to rogue websites that bypassed the SOP protections and gained access to user data, credentials, and even allowed file downloads from storage.
These browser extension threats – often called Man-in-the-Browser (MiTB) attacks – are, like most phishing threats, becoming more and more sophisticated. In fact, many are born out of legitimate extensions that are updated automatically. With large user bases, and little profit for developers, many extensions are sold to or purchased by hacker elements and then automatically updated with malicious code. What might have started out as a trusted browser extension is morphed into a phishing attack vector. This exact scenario happened when Particle – a Chrome extension for enhancing YouTube – was sold to a new developer after the original author planned to abandon the extension due to incompatibilities with a soon to be released updated YouTube UI. A couple of days after the purchase, the new developer converted it into adware and sent out an update requesting two intrusive permissions to access data that the extension didn’t need or have any reason to use.
Browser extension vulnerabilities such as these and other rogue software programs or apps can be recognized quickly with Real-Time Phishing Threat Intelligence, the industry’s broadest and most up-to-the-minute intelligence on zero-hour phishing threats. With more people using browser extensions than ever to make their life easier, there’s more reason for IT teams to be concerned about what corporate network and data exposure is taking place.