Hyas Blog | Protecting Yourself from Malicious Browser Extensions
Browser extension-based malware can range from annoying to catastrophic, but following these tips will help keep your home network safe.
Few would argue that browser extensions aren't useful. They have the ability to add valuable functionality to your browser (password managers, ad-blocking, automatic translations, etc.), and every major brand has implemented them into their product in some manner, including Safari, Firefox, Chrome, and Chromium-based browsers. In fact, as a personal aside, I have become so dependent on extensions that the first thing I do after setting up a new computer is to download Firefox and install my three favorites immediately.
While these extensions are useful and generally easy to use, they can still put their users at risk. Unfortunately, security is often at odds with utility, and the tension between these two ideals goes both ways. For instance, data that is stored offline in a vault is very secure, but not very useful, while on the other hand, accessing a website without having to log in or use two-factor identification (2FA) makes the experience easy for the user but is not very secure.
The same principle applies to browser extensions. To offer the most utility, they benefit from having broad, comprehensive access to browser data — like being able to read all the text on every visited page, see or alter all inputs, interact with websites, and so forth.
These potential vulnerabilities make it hard to enforce strict security policies on the browser. Sure, there is a permission system in place, but many extensions require potentially "dangerous" permissions, such as "read and change all your data on all websites,” just to be able to use them. This means most security enforcement ultimately falls on the browser vendors, who run extensions through an analysis and vetting process before putting them on their respective official store, marketplace, or repository.
Assessing the Threat
But as much as Google, Mozilla, Apple, Microsoft do to prevent malicious extensions, they cannot catch everything. Bad actors know this, and that's why creating and submitting malicious extensions has become a popular attack vector, as there is a fair chance it will get through. The vast majority of people do the vast majority of their work in their browser, so using malicious extensions to gain complete access is the Holy Grail for hackers.
Unfortunately, this leaves us in a giant never-ending cat-and-mouse game between hackers and browser vendors. And make no mistake, it is a big cat-and-mouse game. Doing a web search for "malicious browser extensions removed" will return numerous articles that note how many malicious extensions browser vendors have removed from their platforms. In just a few years, this number has grown into the thousands — impacting millions of people who just want to get some extra functionality out of their browser. Instead, they get force-fed ads, have their homepages changed, or worse, have their crypto currency stolen, bank accounts compromised, credit card details stolen, work credentials harvested, or session cookies exfiltrated, among other potential compromises.
This situation presents a huge problem for companies. Bad extensions could provide initial access to their systems by harvesting user credentials or may even be used to download non-browser malware onto the user’s device to gain an initial foothold into the company's network.
Targeting Personal Users
However, these malicious extensions more often target regular end users than businesses, since they are more likely to install extensions, and bad actors are incentivized to spread the malicious extension as widely as possible. Often, malicious extensions generate money based on the number of people who install and use them, such as those designed to inject unwanted ads or affiliation cookies. But make no mistake, hackers would be just as happy to access your bank account and credit card details as well.
So what's the best way to stay safe without avoiding extensions entirely? Just like most cyber security advice, it cannot be boiled down to just one thing. You should always start by investigating the extension you are considering before installing it. An extension that has many downloads is generally (but not always!) safer, because there is a greater chance that existing users would have already detected bad behavior. Going to the developer's website can also offer some clues. If it is published by a well-known developer or company, it is probably safe. Depending on your browser of choice, their official extension stores may offer some additional validation, such as a "verified" label for Chrome or a "recommended" label for Firefox. Thus, when choosing between different extensions with the same functionality, it is a safer bet to go with the one with a "verified" or "recommended" label. Finally, take the time to verify the required permissions yourself and see if they make sense. An extension that claims to add functionality to YouTube but requests permission to access all data for all websites should send up a red flag.
Thoroughly scrutinizing an extension before you install it will help keep you safe, but it only minimizes the risk of exposure to malicious extensions — it doesn’t eliminate it. One thing that many malicious extensions have in common is that they must communicate with outside infrastructure that is owned by the threat actor behind the malicious extension. Afterall, what good is it to harvest credentials, steal session cookies, or copy credit card details if the information can’t be sent back to the extension’s author? Malicious extensions must also communicate with their command and control in order to download additional malware or to receive instructions to reactivate after a period of dormancy. Having a solution in place that blocks communication to the threat actor infrastructure will effectively neutralize these malicious extensions. If they are unable to "call home,” the extensions cannot fulfill their intended goal, preventing any damage they would have otherwise caused.
Enterprise Security at Home
For years, businesses have been able to use HYAS Protect to block communication to threat actor infrastructure by using advanced DNS filtering. Now, personal users can protect themselves and their families with the same enterprise-level security they enjoy at work with HYAS Protect At Home. Setup takes just minutes, and once in place, HYAS Protect At Home will actively block communication with threat actor infrastructure via DNS filtering.