Skip to content
Naked Security Naked Security

Rogue websites can turn vulnerable browser extensions into back doors

A researcher has found that websites can use some extensions to bypass security policies, execute code, and even install other extensions.

When was the last time you checked the permissions asked for by a browser add-on?

It’s a blind spot: we might know that app permissions can be risky but when it comes to extensions for browsers such as Chrome and Firefox there is a tendency to worry about it only when someone discovers a malicious extension doing something it shouldn’t.

But it’s not only malicious extensions that can be a problem, as highlighted by a newly published study by Université Côte d’Azur researcher, Dolière Francis Somé, which analyses deeper-level APIs.

Extensions can do things that websites can’t. Websites are protected and restricted by Same Origin Policy (SOP) policy – the layer that restricts websites on different domains from sharing data.

Somé was interested in whether a rogue website could bypass these basic SOP protections by exploiting privileged browser extensions, maliciously gaining access to user data, browsing history, user credentials, or to download files in storage.

Sure enough, after analysing 78,315 Chrome, Firefox and Opera extensions that used the WebExtensions API using a mixture of static analysis and manual review, the answer in 197 cases was yes, it could.

All told, 171 of the 197 were Chrome Extensions, which reflects the much greater number of extensions available for this browser rather than any inherent security advantage of Firefox and Opera. 16 and 10 extensions were found for these browsers respectively.

Should we be worried?

Given the very small numbers of vulnerable extensions discovered, at first glance perhaps not. More than half of the rogue extensions had fewer than 1,000 installs each, with only 15% having more than 10,000 installs each.

And yet many of these extensions were doing things that seem hard to justify, including 63 bypassing SOP, 19 executing code, and 33 Chrome examples that could even install other extensions.

Somé says that browser makers have been made aware of the extensions called out by the test, with Mozilla removing all of those named, Opera removing all bar two, and Google still in discussions about whether to remove or fix the Chrome ones (the full list can be found at the end of the research paper).

Solutions?

The easiest answer would be to stop extensions from communicating with web pages as they please, although this might also block legitimate actions.

Alternatively, extensions could (should?) be better vetted by browser vendors to check on their behaviour, while the extensions themselves could be forced to declare which websites they planned to interact with.

Concludes Somé:

Browser vendors need to review extensions more rigorously, in particular take into consideration the use of message passing interfaces in extensions.

The devil’s advocate might argue that the real problem is the whole extensions architecture, which is only now slowly being patched up.

In addition to being able to abuse APIs at a deeper level, many Chrome extensions have got into the habit of demanding high-level permissions during installation, such as the ability to “read and change all your data on the websites you visit.”

On the other side, Google recently changed Chrome extensions’ permissions to limit them to specific sites defined by the user.

The best advice remains to install as few as possible and carefully check out the permissions they request.

Currently, this can be done on Chrome once an extension is installed via Extensions > Details.

On Firefox, the permissions are listed when the user clicks the ‘Add to Firefox’ button, which many people miss.

For Opera, it’s Extensions > Information.

10 Comments

I try to avoid most extensions that need “read write all websites” permissions. But I am puzzled that there isn’t a more fine grained permission system in browsers. It seems to be “no special, website specific, and all”.

I think the reason is that anything more fine-grained is essentially web filtering. The main purpose of the WWW was the hyperlink, which is supposed to let you bounce freely from place to place.

True, but @Odd has a good point–or maybe I only think that since I was thinking the same.

I’d like to see a multi-tiered permissions paradigm more like that in my phone. Maybe not necessarily featuring domain-specific limits** but at least a couple more gradations between “completely benign” and AYBABTU.

** though certain extensions like NoScript and ScriptSafe obviously would perish without self-imposed governance so granular

Windows has had “internet zones” for many years that assign different rights to different web sources depending on where they are.

Yeah I nearly mentioned those, though in my haste I would’ve forgotten they’re not directly part of IE–or are they*?

Do those security settings also govern
a) browser extensions (probably), and
b) browser extensions not running in IE/Edge (I’m less certain)?

Irrespective of answers 1a and 1b I’d like to see something native to browsers, if for no other reason than my beloved GNU/Linux browsers won’t benefit from Internet Zones.

Of course that could very well lead to more browser bloat, which is precisely why I stopped using Firefox a few years back; rampant RAM reservations rapidly rushed readers to revisit Chrome.

The high number of Chrome extensions (and low number of Opera ones) might also be an indication of the popularity of Chrome extensions with Opera users – in fact, when I recently switched over to Opera from Chrome, I installed a single Opera extension… published by Opera and specifically for enabling installation of Chrome extensions, allowing me to install my trusty faves without having to find new versions or similar extensions that may or may not have the same functionality.

With many browsers being Chromium-based including Opera, and Edge abandoning its own engine and making the switch to Chromium sometime in the coming future, I wouldn’t be surprised if Chrome extensions were being installed elsewhere as well, further extending the spread of any bad actors. Just goes to illustrate the importance of Chrome’s Web Store taking care to properly and thoroughly check anything being published through its platform, since any browser – including less secure ones than Chrome – can access the Web Store via a web page. (The alternative to web access would be to make the Web Store more like an app, and grant a front-end access only to those browsers that meet whatever security standards Google sets…but I doubt this would ever happen, for multiple reasons.)

In some cases living without extensions is almost impossible as the browser market shrinks and becomes a choice between Firefox or Chromium based browsers.
For the last several updates FF especially has ***removed*** features and now tells users to use an Add-On! I have taken the liberty to check available Add-Ons for some of these features… some were last updated in 2013!!!!
Not an ideal situation.
As a Vivaldi user I have to get extensions from google’s app store.
I try to use only extensions I need that have high ratings and high download numbers (as well as no negative comments on the Vivaldi Forums).
Just have to review the research paper and keep my fingers crossed.

Chrome’s old Reddit extension, that redirects reddit.com to old.reddit.com, defaults to *read and change all your data on the websites you visit.* I (Menu/MoreTools/Extensions) changed its Details to be just active on sites reddit.com and old.reddit.com, and kept it disabled in incognito mode. It seems to work fine on Chrome version 71.0.3578.98.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?