Another warning of the risks of browser extensions

As much as infosec pros try, sometimes it’s hard to lock down everything on the devices of employees. And despite attempts at security awareness, often the little angels like downloading things without permissions.

Browser extensions which offer the promise of productivity assistance are a perfect example. Few staff realize these can be a source of malware or that allows the injection of malicious code, which is why the best environment is one that has as few add-ons as possible — even if they come from a legitimate source, like a big-name app store.

That was illustrated this week with a report from Seattle-based security vendor Icebrg Inc., which said it has discovered four sophisticated malicious Google Chrome extensions on over half a million browsers, including workstations within major organizations globally. It came after a customer detected a suspicious spike in outbound network traffic from a workstation.

“Although likely used to conduct click fraud and/or search engine optimization (SEO) manipulation, these extensions provided a foothold that the threat actors could leverage to gain access to corporate networks and user information,” says the company.

Iceberg notified Google, which has removed the extensions.

They are:

–Change HTTP Request Header

–Nyoogle

–Lite Bookmarks

–Stickies, which allows the creation of Post-It-like notes.

Screen shot from Chrome extensions store. From Icebrg Inc.

Here’s how these extensions can be troublesome: The Change HTTP Request Header extension itself does not contain any overtly malicious code, says Icebrg. However, it allows the injection and execution of arbitrary JavaScript code. By design, Chrome’s JavaScript engine executes JavaScript code contained within JSON, (JavaScript Object Notation) a lightweight data-interchange format. Due to security concerns, Chrome prevents the ability to retrieve JSON from an external source by extensions, which must explicitly request its use via the Content Security Policy (CSP). But under some circumstances, it can, leading to the possibility of JavaScript code injection. For this extension the control server returning obfuscated JavaScript to the victim host.

It then establishes a WebSocket tunnel to proxy browsing traffic via the victim’s browser for visiting advertising related domains, suggesting a potential click fraud campaign was the motive. But, Icebrg notes, the same capability could also be used by a threat actor to browse internal sites of victim networks, effectively bypassing perimeter controls meant to protect internal assets from external parties.

The other three extensions work in a similar way.

While this report deals with Chrome, the problem exists for any browser that allows extensions.

Google is trying to give administrators more control over Chrome browser extensions. But Icebrg argues that “without upstream review or control over this technique, malicious Chrome extensions will continue to pose a risk to enterprise networks.”

Meanwhile security awareness training has to include mention of the dangers of adding extensions that aren’t approved by administrators.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now