Have You Ever Installed a Malicious Chrome Extension?
Malicious Chrome Extensions Pose Real Danger to Your Data and Devices. Find Out Why and How to Stay Safe.
A few months ago I was writing about my preference for using web applications due to the fact that they allow me to move between browsers tabs swiftly. Today we’ll come back to the browser security topic and we’ll find out what is a malicious Chrome extension and how it can affect the cybersecurity of your company.
Malicious Chrome Extension – Some Definitions
What is a web browser and how does it work?
A web browser is “a software application that retrieves and displays information from a server including web pages, text, images, videos, and other content.”
How does it work? SmartBear nicely describes the process:
The first browser appeared in 1990, created by W3C Director Tim Berners-Lee. It was called The WorldWideWeb, but was renamed Nexus to avoid any confusions. Nexus was a browser-editor, allowing users to also create pages, not only browse them.
In the following years, other browsers were developed: Lynx in 1992, Mosaic in 1993, Netscape Navigator in 1994, Microsoft’s Internet Explorer in 1995, Opera in 1998, Apple’s Safari in 2003, Mozilla’s Firefox in 2004, Mobile Safari in 2007, Google Chrome in 2008, Opera Mini in 2011 and Microsoft Edge in 2015.
What is a browser extension?
As their name suggests, browser extensions are pieces of software that “extend your web browser with additional features, modify web pages, and integrate your browser with the other services you use.” Evernote, Grammarly, LastPass, JoinTabs ar a few browser extension examples.
Are browser extensions safe?
Well, as the European Union Agency for Cybersecurity notes,
Malicious Chrome Extension – Some Details
As StatCounter clearly shows, Google Chrome is the most commonly used browser, so let’s see how a malicious Chrome extension can affect it.
Chances are you also read this article using Chrome, so pay attention.
According to various investigations, a malicious Chrome extension can redirect users to ads or phishing sites, collect browsing history, collect personal data like birth dates, email addresses, active devices and even download further malware onto a device.
Malicious Chrome extensions can be created with malicious code from the start or they can be “updated” with malicious code once they gain a certain level of popularity.
Examples of a malicious Chrome extension:
The following list includes examples of Chrome extensions that proved to be malicious: “Direct Message for Instagram, DM for Instagram, Invisible mode for Instagram Direct Message, Downloader for Instagram, App Phone for Instagram, Stories for Instagram, Universal Video Downloader, Video Downloader for FaceBook™, Vimeo™ Video Downloader, Zoomer for Instagram and Facebook, VK UnBlock. Works fast., Odnoklassniki UnBlock. Works quickly, Upload photo to Instagram™, Spotify Music Downloader, The New York Times News.”
It was discovered that other Chrome extensions “contained code to bypass Google’s Chrome Web Store security scans, take screenshots, read the clipboard, harvest authentication cookies, or grab user keystrokes (such as passwords).”
Some of these extensions, which seem to have the same codebase and graphics and probably the same creator, were discovered in the networks of companies from various domains: healthcare and pharmaceutics, oil and gas, financial services, high-tech, even higher education and government organisations.
Tom’s Guide also points out a few malicious Chrome extensions that you can check manually:
Right-click or control-click the icon of a running extension in the upper right corner of the browser, and select “Manage extensions.” A new tab will open describing the extension, and in the address bar of the tab, you’ll see something that looks like “chrome://extensions/?id=oiigbmnaadbkfbmpbfijlflahbdbdgdf.”
That long string of gibberish is a 32-character extension ID. Compare each of your extensions’ IDs to the list below, and if anything matches, remove the extension.
Moreover, a malicious Chrome extension can be dangerous because it can be used as an attack vector in XSS injections. In the case of Cross-Site Scripting attacks, a malicious script is injected into otherwise benign and trusted websites.
Malicious Chrome Extension – Prevention Strategy
Having a malicious entity tracking and receiving information about your online activity is particularly dangerous for business owners and their companies. Business documents, customers details, revenue lists – employees access this kind of data and more on a daily basis. Probably online, using Office 365, Dropbox, Google Drive, and probably on Chrome. Certainly, you don’t want this data to fall in the wrong hands.
Fortunately, when Google is notified about the existence of a malicious Chrome extension, they disable it: “<<When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses>> said Scott Westover, a Google spokesperson, in a statement.”
There are also a few prevention measures you can adopt, as the European Union Agency for Cybersecurity notes:
Report suspected malicious extension behaviour to the browser store immediately.
Regularly check installed extensions, and remove those that are no longer needed. The more extensions installed, the greater the risk of malicious behaviour or a vulnerability to emerge, so keep them to a minimum.
Pay attention to the number of installs and reviews an extension has received (this information is available per extension in each browser’s store ). An extension with very few users (downloads), few reviews, or negative reviews, is something one should probably avoid, while an extension with a large number of users and positive reviews should be safer. Unfortunately, this isn’t always true, so always exercise caution!
Official extensions made by companies associated with a service should pose less risk, e.g. Microsoft’s or Google’s extensions are probably safer than extensions made by someone you’ve never heard of. Again this is not always true thus the user should always be cautious.
Before installing, read the information supplied with the extension, especially any permissions required, and avoid installing any extension that appears to require too many permissions or may infringe one’s privacy. Moreover, visit the developer’s website – they often provide details of the permissions.
Avoid downloading extensions outside the stores, and be extra careful if side-loading cannot be avoided.
Moreover, it’s very important to have an antivirus software with a powerful firewall installed. Our Heimdal™ Next-gen Endpoint Antivirus will help you prevent incoming attacks and isolate devices when needed.
You can find more advice on how to safely use web applications here.
Malicious Chrome Extension – Wrapping Up
Extensions can be really helpful when it comes to accomplishing our day to day tasks or just boosting our creativity, but they can also turn out to be real menaces. Always pay attention to the extensions you want to install and the permissions they request.
Also, please remember that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it.
Drop a line below if you have any comments, questions or suggestions – we are all ears and can’t wait to hear your opinion!
Thank you for your comment! In this case, it might be useful to check / change your passwords, just to be sure.
I installed a extension a few weeks ago called “easy screen recorder” or something today google removed it from all browser for being malicious I am wondering if it collected any clipboard or password data.