Browser extensions may be used for attacks

Organized crime can "easily" create legitimate applications and then insert malicious code in the form of updates, says Auckland-based security expert.
Written by Vivian Yeo, Contributor

SINGAPORE--Browser extensions could soon become the new weapon in organized crime's armory, according to an industry expert.

Cybercriminals are likely to work on gaining the trust of users that download such extensions to enhance their Web experience, and only show their true colors much later, Doug Browne, general manager of Security-Assessment.com, said Wednesday in an interview with ZDNet Asia. The Auckland, New Zealand-based company is a wholly-owned subsidiary of Datacraft Asia.

"Initially, it will be just an extension you can use...[it] provides great functionality and therefore more and more people start using it," he explained. "In a later release--[in the form of an update]--it will load malicious code onto [the user's] machine."

Such a scenario could "easily" develop, Browne warned, adding that the tactic may already be in use. Crime syndicates can afford to pay developers to write "good extensions", he noted.

As it is, Firefox extensions are proving to be vulnerable, said Browne. Security-Assessment.com's recent study of "about nine or 10" extensions for the Mozilla browser have revealed all to be vulnerable to attacks. The extensions were among the highest ranked, and may even be "recommended" by the Mozilla site.

Firefox, he reported, has around 23 percent share of the browser population, and 80 percent of installations run extensions. According to Mozilla's Web site, over 1.5 billion extensions have been downloaded, of which around 160 million are in use.

Three of the vulnerabilities have already been publicly disclosed; the respective developers have been alerted to the remaining holes, said Browne. One of the extensions led to credit card numbers and online banking credentials being exposed, he noted.

As the creator and distributor of Firefox, Mozilla tests the functional aspects of an extension but does not conduct a comprehensive and methodical security assessment, Browne pointed out. Even when the add-on appears to be "recommended from Mozilla", it does not mean that the extension is not vulnerable.

"They don't actually see whether there's any malicious code--whether there's a vulnerability in the code that can be exploited to gain access to [users'] information," he said.

Mozilla's director of add-ons Nick Nguyen pointed out, however, that security "has always been a vital part" of the add-ons community.

"All public add-ons on add-ons.mozilla.org are code reviewed by an editor for code quality and security," he said in an e-mail. "We continuously improve the tools that our editors use to find security flaws in add-ons, and we work with our top developers to conduct code audits on reviewed add-ons and provide advice to developers to help improve existing code."

Nguyen added: "We continue to be closely attuned to our community and do our best to react quickly when issues are found."

The problem of extensions, Browne added, is not limited to browsers--social networking sites also are at risk.

To better protect against such attempts to steal data, companies ought to educate end users on "what they should or shouldn't be doing", said Browne. Organizations should also disallow the use of extensions, as well as limiting browsers--to the point of enforcing just one--to ease management of browser technologies and updates.

Editorial standards