Browser extensions: Hidden behind good, can be very bad


Visitinga website is a standard task for any user that uses the internet. The primary tool for viewing or visiting a website is called a web browser. A web browser allows web pages to render and display a multiplicity of elements such as graphics, text, dynamic content, video, advertisements, etc. Often times there are ‘plugins’ or ‘extensions’ that allow users to execute certain actions in a quick and efficient manner.

What is a browser extension?. A browser extension is a plug-in that extends the functionality of a web browser. Some extensions are authored using web technologies such as HTML, JavaScript, and CSS*.  These so called browser extensions have become very popular in the era of unrelenting advertisement, paywalls and pop-ups that aggressively target users during browsing sessions. As result of this, certain extensions like ‘ad-blocker’ or ‘script blockers’ or ‘no cookies’ have become very popular as they reduce the avalanche of needless, aggressive targeted content.

Figure shows ad-block extension for chrome.

As these extensions have become popular so has the attention of malicious actors shifted towards them, in many cases providing an effective mean to compromise very large number of victims.

One of the features of this attack vector is that victims may actually use the malicious browser extension functionality but in the background of these ‘useful’ or ‘neat’ functionalities there are might be a number of malicious operations being performed

This happens as browser extensions usually run under user’s session privileges, allowing escalation of privileges and many post exploitation payloads such as keylogging, access to video and audio, download malicious files, use computing power resources and establish persistence at compromised host.

Recent reports indicate the use of this attack vector adding very popular cryptocurrency mining payload. In our latest threat advisory, we outline the different ways attackers can deliver malicious browser extensions, proof of exploitation, detection and defense measures against this type of attack vector.

To access the in-depth Threat Advisory, click here.


Share on