Exploiting Browser Extensions Compromise Corporate Networks

Today, all modern browsers such as Chrome, Edge, Firefox, and Safari provide third-party developers the ability to enhance default functionality by writing custom code in the form of browser extensions. These browser plugins are not standard executables, but “apps” comprised of HTML, Style Sheets and Java Script code that runs inside browser memory. Once hooked into a browser, these plugins can use browser memory structures and resources to offer useful functionality.

One problem, however, is that browser extensions act like apps, but unlike web applications, they aren’t bound by the Same Origin Policy (SOP). The SOP prevents web applications from accessing data from other web applications unless mechanisms such as Cross-Origin Resource Sharing (CORS) are implemented on both applications. Browser extensions are not bound by this restriction, so they can read and write data. They can access user information such as bookmarks, browsing history, and – you guessed it – cookies (or user credentials).

In a study by Université Côte d’Azur, researcher Dolière Francis Somé analyzed 78,315 Chrome, Firefox, and Opera extensions that used the WebExtensions API, and found that 197 extensions were vulnerable to rogue websites that bypassed the SOP protections and gained access to user data, credentials, and even allowed file downloads from storage.

Another problem is that whether it’s through a silent install or explicit install of a seemingly legitimate but rogue browser extension, many of these extensions are comprised of simple HTML5 and JavaScript. They are file-less and execute almost entirely in browser memory, which evades anti-virus and other endpoint protection technologies.

Browsers have become quite secure and are getting more so all the time. With improved software design and regular automated patching, zero-day browser exploits are getting rarer. The difficulty is that browser users are being tricked into adding browser extensions through a variety of very convincing and effective phishing tricks. This is causing major problems for enterprises today. These attacks typically come from phishing pages embedded with file-less HTML “malware”, which are difficult to track and trace. The rogue code is comprised of HTML5 and JavaScript code that runs as part of a browser extension, as mentioned earlier. The threat to the enterprise is that some of these extensions can run as spyware, steal user credentials, and enable data exfiltration to threat actors.

These browser extension threats – often called Man-in-the-Browser (MiTB) attacks – are, like most phishing threats, becoming more and more sophisticated. In fact, many are born out of legitimate extensions that are updated automatically. With large user bases, and little profit for developers, many extensions are sold to or purchased by hacker elements and then automatically updated with malicious code. What might have started out as a trusted browser extension is morphed into a phishing attack vector. This exact scenario happened when Particle – a Chrome extension for enhancing YouTube – was sold to a new developer after the original author planned to abandon the extension due to incompatibilities with a soon to be released updated YouTube UI. A couple of days after the purchase, the new developer converted it into adware and sent out an update requesting two intrusive permissions to access data that the extension didn’t need or have any reason to use.

Browser extension vulnerabilities such as these and other rogue software programs or apps can be recognized quickly with Real-Time Phishing Threat Intelligence, the industry’s broadest and most up-to-the-minute intelligence on zero-hour phishing threats. With more people using browser extensions than ever to make their life easier, there’s more reason for IT teams to be concerned about what corporate network and data exposure is taking place.

It’s Time to Get Started with SlashNext

Experience the difference with broad phishing threat coverage and automated delivery.