We make use of browser extensions almost every day. It helps us in a variety of ways. Improving productivity, user experience, and the list goes on. It is more than a simple icon sitting on the top right corner of the browser bar. Let us see what a browser extension is - a browser extension is a small software application that adds a specific capacity or functionality to a web browser. A browser extension, also called a plug-in, can take advantage of the same application program interfaces (APIs) that JavaScript can on a web page, but the extension can do more because it also has access to its own set of APIs.

Being a security enthusiast, I have always wondered what could possibly go wrong while using these extensions. I have more than five extensions installed on my web browser. These extensions include cookie editor, web application technology identifier, grammar checker, etc. I find them very helpful and save time.

Wouldn’t it be nice to have a grammar checker on your browser when you want your writings to look good? Well, I have an extension which always helps me write good reports and emails. Let’s call this extension the ‘good ext’. What this good ext does is that when I write, it gives suggestions and highlights portions that need correction/change. Sounds cool, isn’t it? Let us first understand what is happening during this process. To give writing suggestions, a good ext interacts with the Document Object Model (DOM) or simply it is interacting with the webpage that is loaded in the browser. It is injecting or adding elements to the webpage to suggest changes. You might be wondering what is wrong with this. There is nothing wrong with this until the good ext becomes a bad ext. There is no guarantee that an extension will only perform those actions which are put in its description. Imagine your cookie editor sending the website cookies to a malicious server in the background which can potentially lead to compromising your online accounts, sensitive information, and other data.

We have a lot of people around us who don’t know much about the extensions but use the extensions for daily needs. Researchers have been warning users about malicious extensions for a very long time but nobody really cares about it. As long as it serves their purpose people are blindly installing them. Chrome allows us to add custom extensions also. You just need to enable the developer mode to add a custom extension.

An experiment to demonstrate the hidden dangers of browser extensions

I did some research to find out what can go wrong when we install a malicious extension on the browser. During the course, I made three custom Chrome extensions to identify possible security issues. Namely;

• Krypton
• Carbon
• Log my data

Krypton is a simple web redirector. If you visit website A and you have Krypton installed, you will automatically get redirected to website B.

Carbon is for enabling Dark themes on your browser.

Log My Data is for logging and analyzing the data you have entered online.

Let's look at what Krypton does. If I install this extension on my browser, I won’t notice any quick changes in the look or feel of the browser. But, the extension is actively listening for some event or the user to visit a particular URL. In this case, I set it to facebook.com. When I visit facebook.com from my browser I will automatically get redirected to some other page. Now you might be getting some idea about the hidden danger, right? Yes, it is similar to a phishing attack where the user is tricked to visit a page or do some action. But, it is more effective than a normal phishing attack where the user might become suspicious upon seeing the URL as in the case of this extension, the user enters a valid URL or domain name, eg:- facebook.com, and only upon loading the legitimate site it is getting redirected. If I have a clone of Facebook where I record every input field value I could have redirected the user to my site and steal their data. The user won’t notice these changes because initially he entered a valid URL and he will expect the rest of the pages to be from Facebook itself.

You might be on the attacker’s page even when the URL seems to be legitimate because what you see is limited to the browser you use. If the browser is vulnerable to address bar spoofing even an expert will be exposed to phishing attacks.

Let's skip Carbon because it is for integration purposes only. Nobody will install a redirector extension because it is useless and annoying at the same time (can only be used to prank). But, when I combine Krypton and Carbon, it’s dangerous - for the users it will look like a dark mode enabler but in the background, it will be Krypton doing all the malicious activities.

Now, let us explore Log My Data (LMD). Of the three, I found LMD to be the most interesting. LMD is an extension that helps you monitor the data you have entered online and to store things that you may forget. It stores information on the browser's local storage. Local storage is a type of web storage that allows JavaScript sites and apps to store and access data right in the browser with no expiration date. This means the data stored in the browser will persist even after the browser window has been closed. It’s not a problem if the data is stored locally but it’s a problem if the data stored is sent to a server controlled by someone else. What if the extension stores the data locally and sends it to a server at the same time? This is exactly what LMD does. It stores data in the browser and sends data to a server I control. LMD is capable of recording passwords, contact field information, mail ids, form inputs, etc. If someone installs LMD on their browser, every time they submit a form or log in to a site I will get a hit on my server with the data they’ve entered. I can also track which site the user is currently on.

Every extension is built for a specific purpose so make use of them wisely. If I can do this much, there is no doubt that someone else can do it better without leaving any room for doubt. Ensuring your security in the cyber world is your responsibility, no one else can do it for you.

Tips to protect yourself from malicious extensions

• Install extensions only from verified sources
• Use incognito mode for browsing whenever possible. Extensions won’t work in this mode.
• Keep an eye on the permissions that the extensions have. In Chrome click on the extension icon and go through the list of extensions you have. Analyze the permissions.
• Never use extensions from unknown sources or suggested by someone else.
• If you are installing an open-source browser extension, it is best to read the source code and understand the logic.

“Sometimes, you have to demo a threat to spark a solution” - Barnaby Jack

Stay vigilant, stay safe!