Gee Thanks, Google - Why Your Chrome Extensions May be Spying on You
Think you know how to spot a fake?
If you're anything like the 20 million Google Chrome users who downloaded fake ad blocking extensions from the Chrome Web Store, you might need to brush up on your sleuthing skills.
Andrey Meshkov, creator of the popular (and legitimate) ad blocking extension AdGuard, announced recently that his firm had discovered five completely bogus ad blocking Chrome extensions hanging out in the Chrome Web Store. These apps looked a lot like the real deal but were nothing more than a (semi) clever way for hackers to get their paws inside their users’ browsers. AdRemover, which boasted over 10 million users until it was taken down, was found to have hidden scripts allowing the creators to track, harvest and change browser behavior.
What’s more, these malicious Chrome-approved extensions used spammy keyword stuffing techniques to get higher rankings, causing unsuspecting users to download their offerings more often than their non-malicious counterparts.
Thankfully, this batch of rogue extensions has now been removed from the Chrome Web Store. But considering that the store has a long history of approving less-than-trustworthy tools, it’s a safe bet that this won't be the last time fakeouts like these rear their contemptible heads. These tricksters can capture passwords, redirect web searches, change the web pages you visit, and display ads you wouldn’t have otherwise seen, among other misdeeds. And until the vetting process becomes more thorough, hackers will continue on their merry way with submitting extensions and apps that can steal or spy on your data.
Even Good Extensions can be Dangerous
But here is the real truth; even completely legitimate extensions can compromise your browser’s security in ways that may surprise you. Users often think of extensions as useful or playful tools that enhance their online experience - who wouldn’t want an extension that replaces every iteration of the word “millennial” with “snake people”? But scarily, even the good ones require permissions that allow developers to see everything you do online.
Moreover, there have been all too many cases of legitimate extensions that have become weaponized via ransomware exploits or phishing ploys. Others, like the popular Grammarly extension, have unintentional, yet critical, flaws which put their users in danger. Some extensions like Particle, start out life innocent enough, but are subsequently bought by malicious actors who weaponize them. Then consider that individuals and organizations alike frequently forget to update and patch these tools and you have the makings of a potentially perilous situation.
Preventing Browser-based Attacks
Traditional solutions do little to prevent attacks like these. Even Gartner surmises that “almost all successful attacks originate from the public internet, and browser-based attacks are the leading source of attacks on users”. The trouble is that almost all companies (96 percent, according to our research) allow their employees to browse the public internet on work devices connected to the local network, with most of our survey respondents indicating that employees need internet access for work-related research. All this browsing exposes your network and endpoints to all kinds of websites, browser extensions and online app, translating into a whole lot of vulnerability.
If you really want to prevent browser-based exploits, such as rogue extensions, from breaching your endpoints, you’ll need to keep all user browsing isolated and contained somewhere that it can’t do any harm. With remote browser isolation, any browser-borne exploits that users encounter can no longer reach their local device. All active browser-executable code is executed in a disposable container hosted outside of the network (in the DMZ or cloud), so that all users get is a safe, interactive content stream. When the user closes a tab or stops browsing, the container is discarded along with any malicious code picked up from the session. The result is that your users can browse securely, yet without any noticeable impact to productivity.
Meanwhile, it’s a good idea to educate yourself and your users to recognize fake or malicious extensions and apps when you come across them. Take time to read the descriptions, ensuring they don't seem too spammy. Make sure you recognize the developer or can at least verify their credibility. Last but not least, understand what the tool is requesting access to. If it’s a simple ad blocker but wants to access your emails, you can rest assured it’s up to no good.
As long as the Chrome Web Store keeps its acceptance standards relatively low, you can be certain this is one attack vector that hackers will continue to pursue.