The Hack Millions of People Are Installing Themselves

Security conscious users keep their operating system and other software up to date, but a huge risk is often overlooked: the underground trade of malicious browser extensions that people install themselves.

|
Nov 15 2018, 12:39pm

Image: Cathryn Virginia

The Weakest Link is Motherboard's third, annual theme week dedicated to the future of hacking and cybersecurity. Follow along here .

Listen to Motherboard’s new hacking podcast, CYBER, here.


Your internet browser is a doorway to your computer. Everyday users are installing all manner of browser extensions—small pieces of software that live inside Chrome or Firefox—to optimize their workflow, block ads, or otherwise improve their web experience. Nearly half of all users of Chrome on desktop use extensions.

But some of these add-ons, the access they have, and the supply chain around them, are increasingly being leveraged by hackers to break into millions of peoples’ computers, and inject unwanted adverts, steal passwords, and siphon other sensitive information.

It’s time to check whether you really need all those extensions nestled inside one of the most important pieces of software you constantly use.

Extensions are in such as prime position for hackers because, depending on the purpose of the extension, they may have special permissions to access information inside the web browser. These can range from the data on all the websites you visit, which lets the extension potentially read, request, or modify data on anything, from your online banking site to Facebook. Others may request access to your browsing history, your clipboard, or bookmarks. The security of the particular browser may be great—it is getting more and more expensive for someone to remotely hack Chrome, for example—but that protection can be undermined if a malicious extension is just sitting inside the browser.

Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Of course, it should be said that although an app may request access to all the data on websites you visit, that doesn’t necessarily mean an extension is really doing much with that data. The Wayback Machine extension, for instance, which is used to archive web pages, can technically read and change all of your data on the websites that you visit, but it is not manipulating what you see on a particular website.

It is still that sort of privileged access that hackers, or dodgy advertisers, may abuse though. One person running a Chrome extension told Motherboard they received a very suspicious, anonymous email that simply said “I’d like to buy your extension for Chrome,” and “Are you interested in selling it?” Another email came from Natomx, a marketing firm based in the Netherlands, which asked if they also could buy the extension outright. When the Chrome extension developer declined, they said Natmox asked how it could “monetise” the extension. Natomx did not respond to a request for comment.

Last year, hackers phished Chris Pederick, who runs Chrome Web Developer, an extension with over one million users. Once they had grabbed Pederick’s developer login details, they swapped his extension on the Chrome Web Store with their own malicious version, designed to inject adverts into users’ browsers. Then in September, someone loaded the popular Chrome extension for file sharing service MEGA with code that could steal login details for Amazon, GitHub, Microsoft, and Google accounts, as well as pinch cryptocurrency keys. And a malicious browser extension appears to be behind a recent dump of private Facebook messages. Once hackers gain control over the extension, through hacking, coercion, or otherwise, they can replace code as they see fit.

Google is pushing back, however. In October, Chromium, the open-source project behind the Chrome browser, announced the Web Store no longer allows extensions that use obfuscated code. Obfuscated code is when a program hides its true purpose, meaning it may be able to bypass anti-malware measures. Chromium wrote that over 70 percent of violating extensions blocked from the Chrome Web Store contained obfuscated code.

Both Mozilla and Google do attempt to detect malicious extensions on their respective stores. Google told Motherboard that in the event it detects a malicious extension in its Web Store, perhaps through abuse reports or code review, the company will disable the extension on every Chrome client that has it installed.

With all of that in mind, maybe remove any extensions that you no longer need on a daily basis, or ones that come from developers you’re not sure whether to trust. When you do decide to install one, check who the developer is, and if it’s the genuine company account. Also check the permissions the extension is asking for and ask yourself whether you’re prepared to hand that level of access over; it may vary depending on what the extension is. Mozilla pointed to similar advice on its website. Google told Motherboard that for extensions that can read and change data on all websites visited, users may want to restrict the extension’s access to only sites that they are comfortable with, or clicking to run the extension each time.