And by "gone awry" I of course mean "turned into malware". At the start of this year I wrote about how not knowing who's in charge of the code running in your browser extensions can lead to those extensions becoming malware behind your back. Well, recently one such elicit campaign turned over four million browsers into spyware.
While I'll just summarize here, feel free to read about the details and see a list of some of the affected extensions. Not only did the responsible party release extensions that were malware from the start, but a number of them were once legitimate and transformed into malware without the user (or Google or Microsoft) being aware. These are the scary ones. All of them shared the same resultant action, though: repeatedly connecting to a server and executing code payloads.
"These extensions now run hourly remote code execution – downloading and executing arbitrary JavaScript with full browser access," security researcher Tuval Admoni said in a report shared with The Hacker News. "They monitor every website visit, exfiltrate encrypted browsing history, and collect complete browser fingerprints."
To make matters worse, one of the extensions, Clean Master, was featured and verified by Google at one point. This trust-building exercise allowed the attackers to expand their user base and silently issue malicious updates years later without attracting any suspicion.
One issue that I brought up in my previous post is that nefarious actors will offer to buy out popular extensions for cash monies and then update them into malware. Not all of these bad extensions are "sleepers" or written expressly to eventually take advantage of the extension system. Sometimes the original author just sells out, which is fine, but they do so to the wrong person/group. The end result is the same regardless.
The problem is as it always was: Browsers ask you to approve an extension's access to your data once and that seems to apply forever. There's somehow no real protection against an extension being updated to do dirty deeds ⸺ and despite all of the technology available to the world right now, Google's and Microsoft's systems for detecting and stopping malware are very clearly shit at their job. So long as the new malware version doesn't require new permissions, the access you granted to the extension potentially years ago still applies.
But it ultimately doesn't even matter if an extension asks for more access to your data after being updated. Most people will blindly accept it just as most people blindly accept various terms of service without reading them. You may have been using an extension for years, so one day when it asks for more permissions, you might go "Hm. That's a little weird." before granting new access. With a single well-intentioned but uneducated click you can enable spyware that lives inside your browser and sees everything you do with it ⸺ and more.
Aside from falling for AI scams, installing browser extensions is basically the most dangerous thing any random person gets up to online these days. There's no way to be truly safe, no panacea as in Real Life™, but you can minimize the chances of falling victim to this clear weak point in most people's data security by following some basic guidelines:
- Don't install random extensions just because or because it sounds cool. Make sure there's an explicit problem you're trying to solve. Keep the number of extensions you're running as low as possible, and know that most alleged performance-enhancing extensions are bunk. If it was so easy to improve performance that a random guy can do it in an extension, don't you think the browser's developers would've figured it out?
- Don't install extensions (or other applications) from third-party sources like aggregators or "review" sites or listicle content farms. One such site that came up in my recent googles is Softonic. It's an old site, and it might be "fine" in general, but getting software from an unrelated third-party source, adding a middleman where none needs to be, is just asking for trouble. Always install browser extensions from the official browser-branded site for such things ⸺ or do it the hard way and install it from its source code repository.
- Relatedly, don't install an extension that doesn't link to its source code repository on said browser-branded extension sites. If an extension doesn't want you to see its source code, there's probably a reason for that. One of those reasons may be that it's a closed-source "premium" extension. Sounds a little crazy to me, but I bet that whatever service they're offering has a free and open-source competitor available. Granted, linking to some source code is not a guarantee the extension is safe, but it does drastically reduce the odds of it doing naughty things.
- Don't install any extension that uses the brand of another in its name. In the list of affected extensions in the article above, there's one called "OneTab Plus: Tab Manage & Productivity" that's stealing the name OneTab from a legitimate extension to trick users into thinking this new version is also legitimate. If a "Plus" or "Improved" or otherwise allegedly better version doesn't have the same author as the original, odds are good the extension is not there for a good reason.
In closing, next time you're about to install some extension that's caught you eye, stop and ask yourself a question or two:
- Do I really need this extension?
- Do I need this small and narrowly-focused extension that sets my new-tab background wallpaper to images from Halo?
- Do I need it when there's an existing extension that's years old and open source that can rotate new-tab images of most anything amongst a plethora of other nice features? Should I be striving to broaden my way of approaching problems? Instead of googling for the exact need I have in the moment to see if someone's offering a direct solution for that specific thing, perhaps I should look up one level look for a way to solve my need in a more general way…
Stay safe out there. There's big money in stealing and selling data, so quit installing browser extensions without vetting them a bit first.