If you’ve installed add-ons or plugins with your browser (like the one that came with your computer), it could be a question you're asking yourself right now.
This week brought news that at least six more extensions for a popular browser were hijacked. Two similar attacks were uncovered only last week. In all these cases the hijackers “updated” the extensions to inject malicious code into web pages. More than a million local browser installations were affected.
At the risk of repeating myself - local browser add-ons put your data at risk. Browsers are targeted in more than 80 percent of online attacks because inherent design flaws and the security weaknesses of common internet protocols make them the most vulnerable component of your personal or business IT.
When connecting to a website, browsers indiscriminately fetch and process code from the web on the local computer. Malicious code may be hidden in a web app or passed through from an ad server on a news site.
Installing extensions for your browser increases this risk multifold. This week’s cases, as documented by researcher “Kafeine” on the Proofpoint blog, and the prior week’s cases involving the extensions Copyfish (more than 30,000 users) and Web Developer (about one million users) should serve as a wake-up call: expect - much - more of the same.
The Copyfish add-on, developed by a9t9 Software in Germany, was used to capture text from images, videos and PDFs. That is until criminal hackers repurposed it. For details, read this post on the Tripwire blog.
The attacker(s) first hijacked the Google account the developer was using to update the extension for the Chrome browser in the Google Chrome Web Store. Then they pushed an update (“version 2.8.5”) that inserted malvertising into web pages.
The Copyfish attack impacted potentially 30,000 browsers. Google acted quickly and pulled the extension from the Web Store. Only a few days later, the widely used Web Developer extension for Chrome got hit. Same modus operandi as in the Copyfish incident - the attackers phished the developer’s Google account and then pushed out a malicious update (“version 0.4.9”) - to 1,044,000 local Chrome browsers this time. And now Kafeine's discovery.
Expect more browser extensions to get hijacked.
The hijacking of these browser extensions demonstrates how a single pwned developer account can unlock and target an - unsuspecting - “audience” of thousands or even millions of users.
Even browser market share and strict policies for web app stores ultimately cannot protect users from getting hit where it hurts their livelihood - on their computer, at home or in the office.
Do we see a trend here? Considering Dan Goodin’s post on Ars Technica today on another case in point, Bank-fraud malware not detected by any AV hosted in Chrome Web Store. Twice, it certainly seems that way - and it didn’t come out of nowhere:
Only a short while ago, Web of Trust (WoT), another plugin - offered as a tool for privacy protection on the internet - was found to secretly spy on its users, by design (their data was sold to a third party).
In fact, 95 percent of data that disclosed the identity and browsing habits of web users to third parties were exfiltrated from ten widely used browser extensions, according to a report revealed by security researchers at DefCon in Las Vegas.
Browser extensions are the gift that keeps on giving for criminal hackers. For developers and users, on the other side, the increasing complexity of IT environments has led to a loss of control, lack of transparency and less security on the web.
Bad actors thrive in this environment. They find a wider attack surface and then leverage the target’s installed plugin base to exploit the inherent vulnerability of the browser.
To close the loop from the headline -
How do you know if a browser extension has been hijacked?
Simply put, you won’t. If there’s one thing we can learn from this series of attacks, it is that even the world’s largest IT companies fail to spot such cuckoo’s eggs in their app stores before they hatch - on your computer.
The good news is that there’s no law requiring you to install and run your web browser locally, risky extensions and all.
Enter the “remote browser,” ranked by Gartner analysts as one of the Top Technologies in IT Security in 2017. This week may be as good a time as ever to start using a secure remote browser.
Silo, the remote browser developed by Authentic8, renders all web content remotely in a secure container in the cloud. It provides insulation from all web-borne attacks when you or your team access the internet.
With Silo, each new browser session starts from a clean slate. All web content is processed in a secure container launched in the cloud at the beginning of the session and erased at the end. No trace of your web activities is left behind.
No code from the web (good or bad) can touch the local computer. Only a visual representation of the web page - pixels - gets back to the user, via an encrypted connection.
Last but not least, with the browser now running on Authentic8’s servers instead of on your local device, the question if your browser extensions can get hijacked becomes moot.
Nothing left to worry about. Enjoy the web - Silo puts you back in the driver’s seat.