Wednesday, December 16, 2020

Chrome Extensions: Extending Too Far

 If you trust Google, and trust Chrome, the Chrome web store is a trusted place to look for extensions. Some are extremely useful, some are capable of blocking-ads, some make the browser look like a game, and some have a little more than expected. Over 80 million Chrome users installed one of 295 Chrome extensions that hijack and insert ads in to Google and Bing search results. AdGuard, an ad-blocking company, uncovered many of these extensions on the Chrome Web Store. The malicious browser extensions were divided into 3 groups:

·     Extensions that load what appears to be an analytics script which transforms based on cookies to allow it to add an obfuscated script into each freshly opened tab. This new script checks the page and loads an image that has ads 'coded in' if it's a Bing or Google search results page. Most of the discoveries were of this group and consisted of background extensions.

·   Extensions that utilize 'cookie stuffing' and 'ad fraud' where it generates “affiliate” cookies, which makes revenue for site owners, despite not visiting the site. Only 6 were discovered but with 1,650,000 total users.

·    Extensions that are spam but could be malicious in the future. Although AdGuard did not disclose how many existed, the top 5 has 10 million users combined. These can share a similar name with a valid extension or perform a legitimate function, but the potential malice exists in the  'Google Tag Manager' code. The Google Tag Manager account owner can change the 'tag' to upload new potentially malicious code.

The biggest problem here is not that they were created, but that they persist. Google tried to put in strict review guidelines to help secure extensions, but they just frustrate legitimate developers who suffer through complicated review processes without limiting malware. Last year, Google included Chrome extensions into their bug bounty program. The blog writers at AdGuard believe “Google fails with managing Chrome Web Store and keeping it safe.” They do acknowledge “Google did do one thing right — they introduced a position of Chrome Extensions Developer Advocate.” But if the malicious extensions aren’t violating Chrome extension policies (and understand that remote code is allowed, meaning extensions can change their behavior at any time and be within policy) they will be difficult to remove. Until Google fixes these issues, what can you do to protect yourself? The blog authors offered the following suggestions:

· Consider if a browser extension is the only way to achieve a goal.

· Install extensions only from the developers you trust.

· Don't believe what you read in the extension's description.

· Users reviews won't help. It can have excellent reviews & still be malicious.

· Don't use the Chrome Web Store internal search, follow the links on the trusted developers' website directly.