Are You Using Browser Extensions? Security Practices You Need To Know
I humbly took a hard slap on my face. Facepalm! What have I done?!
I deserved it. I was complacent. I trusted my heart out easily.
No, I’m not talking about romantic relationships. But this one is a real heartbreaking truth and I missed my most favorite, Adblock.
Yes. I’m referring to browser extensions.
My conscience had been nudging me to check the security status of browser extensions before my first ever download.
Sadly, I never listened. And now, I’m left with a broken heart.
Here’s my story.
I’ve been married for years to more than five browser extensions on Chrome. I’m fond of saying “there’s an app for that.”
I like working smarter than harder and leverage the use of applications and productivity tools to help me manage stress at work.
I easily get annoyed with popups and adverts so I grabbed help from AdBlock to keep me from seeing ads.
When I like to keep track of my sent emails, I have Mailtracker.
I use AutoPagerize to automatically load the next pages of a website for continuous search results’ list.
There’s SearchPreview for me to see beforehand contents of a link or a website before I click on it.
Anything I need, I check for apps and download them right away. Yes, I’ve been a fool!
Work had been easier and smooth sailing with the help of applications and browser extensions.
Until I finally checked news and articles on browser extensions’ security.
Before I share with you some security practices in using Chrome browser extensions, allow me to share with you first the dangers of using one.
What dangers are you facing?
- Malicious intent
We’ve discussed in our previous article that one of the not-so-hidden agenda of cybercriminals is to sell stolen data to the darknet and to the highest brokers for an instant easy money.
Aside from using public WiFi and chargers, unsolicited suspicious link and email attachments, using browser extensions is another scheme of hackers to lure on user’s security and data.
Browser extensions have access to everything you do online. Hackers creatively use this as means of lurking on their prey.
Tons of browser extensions are created to spy on people’s browsing habits and steal personal information including passwords of various accounts.
In August 2014, researchers at the University of California conducted an analysis of malicious behaviors on browser extensions and found that 130 out of 48,000 extensions from Chrome Web store are malicious and other 4,700 extensions exhibited suspicious behavior.
Other proof and examples will be cited in a little while.
- Plug-in vulnerabilities
Plug-in is a piece of software that enhances another software application and usually can be ran independently (e.g. Adobe Flash, Flash Player, Java). Plug-ins work hand-in-hand with web browsers and some web browser extensions tandems with plugins to improve a user’s browsing experience.
What’s so scary about plugin vulnerabilities?
– Placing links on your site in an effort to boost their own site’s SEO
– Installing malicious code onto your site
– Redirecting your site visitors to other sites rather than staying on yours
– Using your server resources for things like spam email and DDoS attacks
Keystroke logging or popularly called keylogging is a software or hardware that can secretly record every keystroke made to monitor and capture any desired information.
Keyloggers are often used by employers to monitor logging history of their employees in making sure that computers are used for business purposes only. It’s also used by parents to monitor their child’s online activities.
However, keyloggers are adapted and used also by cybercriminals through browser extensions.
Browser extensions could function as keyloggers and you already know what it can do.
“It could function as a keylogger to capture your passwords and credit card details, insert advertisements into the pages you view, redirect your search traffic elsewhere, track everything you do online—or all these things. If an extension needs to scan your receipts or other small things, it probably has permission to scan your email for everything—which is extremely dangerous.”
More Proof of Unsecure Chrome Extensions
- Web Developer for Chrome
On August 2017, the account of Web Developer for Chrome browser extension, with more than 1M users was hacked and an updated software version 0.4.9 was uploaded containing potentially malicious pop-ups and credential theft. The author of the software announced the incident on his Twitter account:
- Browse-Secure for Chrome
The Browse-Secure for Chrome extension was supposed to keep users secure while browsing the internet. With a tagline saying “Keep your search secure with Browse-Secure: the anonymous, encrypted search engine and privacy tool.”
However, it did not give justice to its tagline. Instead, the extension modifies the user’s web browser settings displaying unwanted and annoying pop-up ads.
The extension connects to Facebook and LinkedIn and tries to harvest personal information from the logged in accounts.
It also carried a virus that corrupted and replaced the user’s existing home page, browser’s search page and error page on their website — browser-secure.com.
All this being done without the user’s permission.
- LastPass: Free Password Manager
Google’s Project Zero researcher Travis Ormandy reported two security vulnerabilities of a popular browser extension with more 6.5M+ users, LastPass on March 15, 2017.
This issue was confirmed by the LastPass team themselves saying, “An issue with the architecture for a consumer onboarding feature affected clients on which that code appeared (Chrome, Firefox, Edge). A malicious website could trick LastPass by masking as a trusted party and steal site credentials. Users running the LastPass binary component (less than 10% of LastPass userbase) were further susceptible to remote exploit when lured to a malicious website.”
So, WHAT CAN YOU DO?
- Use limited browser extensions
Use only a few and trusted browser extensions. The fewer you use, the lower chances you have of hacked by cybercriminals using vicious extensions.
Take a minimalist approach.
“Taking a minimalist approach may seem like it will hurt your productivity, but … the actual usefulness of browser add-ons makes it clear that it would be better to remove most of your currently existing customizations.”
Additionally, if you want a drastic move, you can stop using browser extensions altogether.
Even though not all browser extensions have security issues, not using any could all the more lower your chances of having a third-party server prying on your data.
If you value security but can’t break-up with your favorite browser extensions, you can still stop helping hackers from stealing your data.
- Pay attention to permissions
Before downloading an extension, make sure to inspect the permission requests first.
According to Google Chrome Privacy, “Before installing an add-on, you should review the requested permissions. Add-ons can have permission to do various things, like:
- Store, access, and share data stored locally or in your Google Drive account
- View and access content on websites you visit
- Use notifications that are sent through Google servers
Some add-ons might require access to a unique identifier for digital rights management or for delivery of push messaging. You can disable the use of identifiers by removing the add-on from Chrome.”
Below are permission levels from Chrome Web Store Help that should help you decide:
When the permission requires access to all data on your computer and the websites you visit, it means that the app or extension can access almost anything. This could be your webcam or personal files, inside or outside of your browser.
These alerts may request access to:
- Your data on all the websites you visit – the app or extension gives access to read, request or modify data from every page you visit (bank account, Facebook).
- Your data on a list of websites – the app or extension gives access to read, request or modify data on pages you visit on a list of specified websites.
This requests access to:
- Your list of installed apps, extensions and themes – the app or extension can enable, disable, uninstall or launch themes, extensions, and apps you have installed.
- Your bookmarks – the app or extension can read, change, add to, and organize your bookmarks.
- Your browsing history – the app or extension can read and erase your browsing history.
- Your tabs and browsing activity – the app or extension can see the URLs and titles of websites you visit. It can also open and close tabs and windows, as well as navigate to new pages in open tabs and windows.
- Your physical location – the app or extension can use the current location of your computer or device.
- Data you copy and paste – the app or extension can access information you’ve copied and pasted
Optional permissions will ask you to deny or allow permissions after the app or extension has been installed. When you allow optional permissions, you can’t change them after.
“What exactly an extension can see depends on its permissions, which you accepted (like it or not) when you installed it.”
- Install extensions ONLY from trusted authors
Download and install extensions from legitimate and trusted authors ONLY. Although this does not guarantee thorough protection like what happened to the Web Developer for Chrome extension, it can be an eliminating factor for suspicious extensions from wicked authors.
Take this tip from ENISA, “Official extensions made by companies associated with a service should pose less risk, e.g. Microsoft’s or Google’s extensions are probably safer than extensions made by someone you’ve never heard of. Again this is not always true thus the user should always be cautious.”
- Verify, Verify, Verify
Before downloading any browser extension, verifying the publisher must be your top priority.
There are extensions that are named similarly with extensions from major companies.
Always check and verify the extension and ensure that you’re not falling into the hands of cybercriminals.
You may also want to check the reviews for red flags. Check if there are any suspicious behaviors reported against the extension.
Know that authors with malicious intents can use bots to trick users into thinking that the extension’s positive ratings correlate with its legitimacy.
Reality teaches us to be extra careful at all times.
We should always wear our digital armors and think twice before installing anything online.
Whether we like it or not, security risks lurk everywhere we go.
But one thing is for sure — there are companies coming up with best solutions for security risks.
Dead Drop Software is one of them. It’s an online collaboration tool that’s built with bank-level security, protecting its users from prying eyes and devious hackers.
Let’s not be fooled and stop staying blind. Be wisely skeptical against any schemes.
In the end, we can only blame ourselves for our complacency.