Malicious websites can exploit browser extension APIs to run code inside the browser and steal sensitive information, such as bookmarks, browsing history or even user cookies.
Of course an attacker can with cookies can understand the active periods connectionof the user and gain access to sensitive accounts, such as email inboxes post officey, social network profiles or accounts on banks etc.
In addition, the same APIs (we are always talking about extensions used by browsers) extensions can be used to trigger the download of malicious files and store them on the user's device. This data is stored in an extension's storage, and can be used later to track users across the web.
These types of attacks are no longer theoretical, having recently been proven in one research published by Dolière Francis Somé, a researcher from the Université Côte d'Azur and INRIA, the French research institute.
Somé developed one tool and reviewed over 78.000 Chrome, Firefox and Opera extensions. It was able to identify 197 extensions that allowed internal API communication interfaces to be exposed to web applications. This can give malicious websites access to data stored in a user's browser, data that should not normally be accessible.
Chrome | Firefox | Opera | Total | |
---|---|---|---|---|
Extensions analyzed | 66,401 | 9,391 | 2,523 | 78,315 |
Suspicious extensions | 3,303 | 483 | 210 | 3,996 |
Execute code | 15 | 2 | 2 | 19 |
Bypass SOP | 48 | 9 | 6 | 63 |
Read cookies | 8 | - | - | 8 |
Read browsing history | 40 | - | - | 1 |
Read bookmarks | 37 | 1 | - | 38 |
Get extensions installed | 33 | - | - | 33 |
Store / retrieve data | 85 | 2 | 3 | 90 |
Trigger downloads | 29 | 5 | 2 | 36 |
Total of unique extensions | 171 | 16 | 10 | 197 |
The French researcher reports that he was surprised by the results, as only 15 (7,61%) of 197 extensions were development tools, a category of extensions that usually have full control over what happens to a browser and are from applications that do not must have security holes.
About 55% of all extensions had less than 1.000 installations, but over 15% had over 10.000.
Somé said he advised browser developers of his findings before publishing the survey to the public in early January.
"Everyone recognized the problems," Somé says. “Firefox has removed all the extensions I mentioned. Opera has also removed all extensions but there are 2 more that can be exploited to enable downloads. "
“Chrome also recognized the problem. We are still discussing together the possible measures to be taken. ”
The researcher also created a tool that allows users to check if their extensions contain a susceptible API that can exploit malicious websites. The tool is web-based and hosted on this page.
To use it, you will need to copy-paste its content archivey manifest.json of the extension you are interested in.
Watch the videos published by the researcher
If you want to read more in Somé's work: EmPoWeb: Empowering Web Applications with Browser Extensions, ”You can download it as a PDF from here and here.
_______________________
- PDF 5 free online processing services
- Hacking the most commonly used tools
- VLC download videos online & convert them as you wish