In the 21st century we are very much familiar with Browser Extensions, to ease our browsing behavior we sometimes depend upon these extensions, be that automatically filling up credentials for websites or blocking ads we use browser extensions everyday.
While browsing daily on the internet, a question came to our mind that these extensions are not from the browser companies, these originate from third parties. So are these able to read the passwords that we enter on the websites? While analyzing this we come across some interesting facts that we would like to share in this blog.
It is absolutely possible for a browser extension to read users’ passwords. However, it depends upon various factors whether an Ad-on is able to read or steal users data, factors like the permission it has access to, from where it has been downloaded and many more. But that does not mean that every extension in the web will use this opportunity to compromise users’ privacy.
There are more than 1.5 lakh extensions available only on the Google Chrome web store. With so many extensions floating around and trying to get users to install, hackers are getting more and more opportunities to intrude in users’ security. And speaking of security, one of the most important security aspects users should be concerned about is passwords. That is one of the main reasons why we Do Not Recommend to Save Passwords on Browsers.
Why Do Hackers Prefer to Use Extensions to Steal Passwords?
There are many reasons for a hacker to use extensions to steal credentials, let’s discuss the most important ones:
Easy penetration:
Penetrating through extensions are becoming very much easier these days. Because it will be the users who will install the extensions themselves, knowingly or not. Hackers do not need to pay much time to write code for automatic installation. All they need to do is to set up some false advertisements that these extensions are able to offer to the users, then continuously send notifications through pop up windows or show ads through the browsers. However, if you want to block Ads with an Ad Blocker you can check our Top 7 Picks.
Not only users will install these add-ons but also they will give all the permissions that these add-ons will ask for because without permission these add-ons will not work. Hence opening the door for the hackers.
Easy Hijacking:
Few of the extensions are not from big developers. Many small organizations also create their own extension and can list it on the web. Being a small organization sometimes it becomes too difficult for them to provide the level of security to these extensions that a big developer is able to.
So it becomes very easy for hackers to hijack such extensions and do some nominal changes on their source code. This allows them to get all the information including passwords they need from the user base of that particular extension.
In Aug 2017, a similar incident had happened with a popular chrome extension named “Web Developer”. However, the hijacker misused this extension for showing random Ads on the websites. But there are possibilities to steal the passwords as well. You can check here for full details.
Auto Updates:
For easy usage, modern browsers use the auto update feature to keep the extensions up to date. However, there is a big flaw in this procedure.
When a hacker hijacks an extension and wants to do some fishy activities with it, they need to update the source code and push an update for the users. With auto update turned on, these extensions automatically update and turn into a malicious extension.
Same has happened with an extension named “Mega File Storage Service”. Attacker replaced the extension with a malware version and pushed an update to it’s users. This malware version can read credentials of popular websites like Google, Amazon, Microsoft and more. You can check the full details here.
Lack of revenue:
Oftentimes we see that even with a large user base some extensions are not able to get much revenue with it. Because the free extensions mainly depend upon donations and there aren’t many users who actually use the extensions that have a paywall.
Sometimes these developers are approached by a third party who offer them a large amount of money to buy the ownership of these extensions. With the lack of revenue in hand, developers also agreed to sell. Now these third party companies have full access over the large user base that this extension has. They just need to do a bit of tweak in the source code to steal users’ passwords and other information.
A similar case happened with “Particle” chrome extensions which were used to customize YouTube. Just after buying this extension the new owner turned it into Adware. You can read full details here.
Malicious Extensions can not only steal passwords but also can steal other sensitive user information.
What Information Other Than Passwords Can Malicious Extensions Steal?
Which information an extension can steal totally depends upon the permissions that it has been granted for. However, let’s discuss the top 10.
Data for All Websites: Malicious Extensions can steal all your visited website data including your inputs.
Browser Cache: Malicious browser extensions can steal and modify browser cache.
Cookies: Some malicious extensions may steal cookies to show some targeted Ads.
Bookmarks: Malicious extensions can see your bookmarks and are able to modify them according to their need.
Downloads: Malicious extensions can check your downloads and even push some anonymous downloads to infect viruses to the systems.
Saved Form Data: If you have any form on websites saved for later use, malicious extensions can read and modify them.
Browser History: Malicious extensions can keep a track of your browsing history.
Clipboard Data: Malicious extensions are able to read the data that are on clipboard. And “paste” the data wherever it wanted.
Say you have copied your debit card number to the clipboard. Malicious extensions can have access to it.
Location: Keeping track of the location of users is very much common for malicious extensions.
Keystrokes: Some malicious extensions can even keep track of all the keys that you’re using on your computer or laptop to write something. Basically these can also act as a keylogger and steal your data.
To eliminate malicious extensions from the web store, web browsers use security vetting for extensions both manually and automated methods. However, with so many extensions available on the store, some of these poorly and maliciously coded extensions slip through the vetting process.
CPO Magazine also reported that In 2018, google discovered that for every ten submissions, one extension was malicious on the google chrome store. Google also announced plans to upgrade it’s extension vetting process after the incident.
So if you only depend upon browsers’ vetting process to eliminate malicious extensions aren’t the only way to go, you need to consider some other aspects as well. After analyzing it, we found some safety measures that can keep us safe from these anonymous extensions.
How to Use Extensions Safely?
There is not any procedure that ensures you 100% safety from malicious extensions. However you can minimize the risk by a significant amount by following these safety tips.
Transparency: Try to use the extensions that are open sourced. Which means their source code is open to the public and other developers can check the code and modify them. With so many security audits by many developers these extensions have less chance to be malicious.
Use mainstream Extensions: Use the extensions that have more user base. If you are trying to pick between several extensions that offer similar functionality, picking the one which has more user base and positive reviews can be a good idea.
Permissions: Keep an eye on the permissions that the extensions are asked for. Do your own research before blindly accepting the permissions.
An extension like Bitwarden (Password Manager) does need to access websites data to automatically fill the passwords for the users. But an extension like file converter won’t need such permission. Use your brain before accepting the permissions. Or you can research about the extensions on google by reading the reviews on a forum or checking a YouTube video and much more.
Limit Your Extensions: Before installing an extension ask yourself do you really need it? Installing an extension like Ad blocker or a password manager does make sense. But for converting a file or converting currency do you need an extension? Maybe not, you can do all these things just by browsing on the internet.
Check the Extension Details Page Thoroughly: Before installing the extensions do check it’s details page. Oftentimes we have found that these extensions have some poorly written descriptions with grammatical errors in the details page.
Use Quality Antivirus: Use a quality antivirus that has capability to protect you from online activities. You can use any popular one like Kaspersky, Avira etc.
Be a Part of The Community: Always keep a red flag if your pre-existing extensions ask for new permissions after auto update. Sometimes these extensions can be hijacked and a third party can push these malicious updates. In such cases, wait before you update. Visit the community page of the extension to get proper descriptions of the updates. You can even google to check what others are giving their opinion for the update.
Install Extensions from Trusted Sources: Always install extensions from a verified source such as from the developer’s original site or from browser’s web stores. Never ever install extensions from random pop-ups or from advertisements.
The Conclusion
Whatever we have discussed above does not mean all extensions are malicious or you should not use extensions at all. We all use extensions to make our browsing easier. Extensions do need some core permissions to be workable as well. But the only difference is a good extension does not track or steal users’ passwords or data.