Malicious browser extensions pose a serious threat and defenses are lacking

Many security products offer inadequate protection against malicious browser extensions, a researcher has found

Although the number of malicious browser extensions has significantly increased in the past year many security products fail to offer adequate protection against them, while others are simply not designed to do so, according to a security researcher.

Attackers have already used such extensions to perform click fraud by inserting rogue advertisements into websites or by hijacking search queries, but research has shown that this type of malware has the potential to cause much more damage.

Last year Zoltan Balazs, an IT security consultant with professional services firm Deloitte in Hungary, created a proof-of-concept malicious extension that could be controlled remotely by an attacker and could steal authentication credentials, hijack accounts, modify locally displayed Web pages, take screenshots through the computer's webcam, bypass two-factor authentication systems and even download and execute malicious files on a victim's computer.

And last week the European Union Agency for Network and Information Security (ENISA) warned in its midyear report: "An increase in malicious browser extensions has been registered, aimed at taking over social network accounts."

Earlier this year Balazs investigated how various security products protect users against malicious browser extensions and presented his findings at the OHM2013 security conference near Amsterdam in August. He performed tests against browser security extensions, sandboxing software, Internet security suites, anti-keylogging applications and financial fraud prevention programs recommended by some banks.

Many of these products either don't detect and block malicious extensions at all, or their protection can be bypassed, sometimes very easily, he found.

Not all of the tested products claim to protect against malicious extensions, but Balazs said he tested them because some users might believe they do.

For example, the NoScript security extension for Mozilla Firefox is designed to block plug-in content from executing without user authorization, and also blocks some Web-based attacks such as cross-site scripting or clickjacking. However, it doesn't protect against malicious browser extensions or local malware, Balazs said.

BrowserProtect, another Firefox extension, claims to protect the browser against "homepage, search provider, extension, add-on, BHO and other hijacks." This extension also fails to protect against malicious extensions, the researcher said.

Browser security extensions are not really trying to protect against malicious extensions and they wouldn't be able to because by design they run with the same privileges as those extensions, Balazs said.

Balazs also tested Internet security suites from five top antivirus vendors that he declined to name. The level of protection they offered against malicious browser extensions varied from none to good.

One of the tested products detected and removed the researcher's malicious Firefox extension, but he was able to bypass the detection signature by adding a single space character at a specific location in the extension's code.

A product from a different vendor came with a "safe browser" feature that involved creating a clean Firefox profile with no extensions installed. However, once it had created the profile, it kept using the same one, which meant that a malicious extension installed in the user's regular browser profile could copy itself to the "safe browser" profile, Balazs said.

Balazs said a third vendor, asked in a forum if its product detects or blocks Firefox keylogging extension Xenotix KeylogX, replied there was no need because "browser add-ons are subject to the same sandbox the browser runs through." The vendor recommended that users remove any suspicious extensions themselves, he said.

For Balazs, the answer highlights the poor understanding some vendors have of this type of threat, because Firefox doesn't have a sandbox and malicious browser extensions can be installed silently by malware without users ever knowing.

Some other "safe browser" implementations, such as Avast's SafeZone and Bitdefender's Safepay, did block the installation of malicious extensions. These offerings are designed to give users a way to bank and shop securely online using a custom browser based on Chromium, the open source project behind Google Chrome, within a secure environment similar to a sandbox.

Even though Balazs didn't find a way to install malicious extensions directly into the Avast SafeZone or Bitdefender Safepay browsers, he claims to have found a weakness that could allow an attacker to spy on traffic, even when users access HTTPS websites and their connection is encrypted.

If the victim's primary browser is Firefox, the attacker could first use social engineering to trick the victim into installing a malicious extension. He could then use that extension to download and execute a piece of malware designed to change the system-wide Internet proxy settings and to install a rogue root CA certificate into the Windows certificate store.

Chromium, along with Internet Explorer, uses the system-wide proxy settings and certificate store, so an attacker could exploit this to pass all traffic from the Avast SafeZone or Bitdefender Safepay browsers though a proxy server he controls and perform man-in-the-middle interception using the new root CA certificate added to the system.

This attack would also bypass Chromium's public-key pinning protection, which is supposed to detect whether the public keys used for the certificates of some popular websites such as Gmail or Paypal have been changed by a man-in-the-middle attacker, Balazs said.

The user will not receive any certificate warnings inside the browser because Chromium allows user-installed root CAs to override pins, a design decision explained by Google software engineer Adam Langley in a May 2011 blog post.

Windows does show a security prompt when a new CA certificate is added to the certificate store, but the malware is able to automatically confirm the action, so the user doesn't have to click anything.

A Bitdefender spokesman said Wednesday that "Safepay is designed as an additional layer of security to protect sensitive activities such as online banking or shopping. Although it has strong self protect mechanisms, Safepay is not a replacement for an AV [antivirus] product nor is promoted as such."

The product performs a security assessment to identify active malware on the computer before the secure browsing session is initiated, but if malware previously infiltrated the system and installed a rogue root certificate there is a chance that the session could be compromised, the spokesman said. "Nevertheless, this scenario is plausible when users don't have an antivirus product installed."

"We have an ongoing project that aims to discover Safepay's vulnerabilities in different scenarios (system or third-party related) and develop solutions to minimize the risks of compromised user sessions," he said. "The assessment of installed certificates on the system is at the top of our list."

Avast did not immediately provide a statement regarding this attack method.

Some security products recommended by banks to their customers and designed to prevent malware-related financial fraud were also found to lack protection against malicious browser extensions. Balazs tested six such products from different vendors, but only one blocked browser extensions in his tests.

Since then, a few more have added protection for this type of threat, but they use different approaches, he said. Some block all extensions while others detect only malicious ones, he said.

Balazs also tested Sandboxie, a program designed to isolate applications from the operating system by running them inside a sandboxed environment and preventing them from making permanent changes to other programs or data on the computer.

The product's website says that "running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded trivially."

However, that only stops a rogue browser extension within Sandboxie from writing to local storage outside the sandbox. It can still log keystrokes and store them within the sandbox, capture images with the computer's webcam, or steal passwords and authentication cookies stored in the browser, the researcher said.

In general, malicious Firefox extensions can modify the settings of other extensions or the browser itself, but they can also indirectly modify the source files of installed extensions by downloading and executing a piece of malware designed to do this when the browser is closed, Balazs said. (The source files are locked while the browser is running.)

During a presentation Saturday at the Hacker Halted USA 2013 security conference, Balazs demonstrated how malware can insert backdoors into legitimate extensions and the effects this can have on the user's security. For his demonstration he backdoored the LastPass extension for Firefox.

LastPass is a password management service that uses a browser extension to automate form filling and website authentication. This allows users to have strong, separate passwords for all online services they use, while remembering only one master password that unlocks their encrypted password vault.

For increased security, LastPass supports two-factor authentication using the master password and one-time codes generated by physical YubiKey USB authentication devices or mobile applications such as Google Authenticator, Toopher and Duo Security.

LastPass claims on its website that it protects users against phishing scams, online fraud, and malware -- in particular key loggers. However, according to Balazs, the extension can't protect users against malware like financial Trojan programs that hook into the browser process, against other malicious browser extensions, or against local modifications of its own code.

Balazs' demonstration at Hacker Halted showed how a piece of malware could modify the code of the LastPass extension installed in Firefox so that it sends the user's master password and a YubiKey authentication code to an attacker, who could then use the information to access the user's password vault.

He released his proof-of-concept code for backdooring the LastPass extension on GitHub and said that developing it only took two hours.

Most of Balazs' recent research focused on Firefox because it's easier to trick users into installing malicious extensions in this browser by using social engineering. Unlike Firefox, Chrome only allows the installation of extensions from the official Chrome Web Store repository and not from third-party websites, which makes it harder for attackers to distribute malicious extensions.

Join the CSO newsletter!

Error: Please check your email address.

Tags GooglesecurityAvastbitdefendermozilla

More about AvastGoogleMozilla

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts