Malicious browser extensions pose a serious threat and defenses are lacking
By Lucian Constantin
Although the number of malicious browser extensions has significantly increased in the past year many security products fail to offer adequate protection against them, while others are simply not designed to do so, according to a security researcher.
Attackers have already used such extensions to perform click fraud by inserting rogue advertisements into websites or by hijacking search queries, but research has shown that this type of malware has the potential to cause much more damage.
Last year Zoltan Balazs, an IT security consultant with professional services firm Deloitte in Hungary, created a proof-of-concept malicious extension that could be controlled remotely by an attacker and could steal authentication credentials, hijack accounts, modify locally displayed Web pages, take screenshots through the computer’s webcam, bypass two-factor authentication systems and even download and execute malicious files on a victim’s computer.
And last week the European Union Agency for Network and Information Security (ENISA) warned in its midyear report: “An increase in malicious browser extensions has been registered, aimed at taking over social network accounts.”
Earlier this year Balazs investigated how various security products protect users against malicious browser extensions and presented his findings at the OHM2013 security conference near Amsterdam in August. He performed tests against browser security extensions, sandboxing software, Internet security suites, anti-keylogging applications and financial fraud prevention programs recommended by some banks.
Many of these products either don’t detect and block malicious extensions at all, or their protection can be bypassed, sometimes very easily, he found.
Not all of the tested products claim to protect against malicious extensions, but Balazs said he tested them because some users might believe they do.
For example, the NoScript security extension for Mozilla Firefox is designed to block plug-in content from executing without user authorization, and also blocks some Web-based attacks such as cross-site scripting or clickjacking. However, it doesn’t protect against malicious browser extensions or local malware, Balazs said.
BrowserProtect, another Firefox extension, claims to protect the browser against “homepage, search provider, extension, add-on, BHO and other hijacks.” This extension also fails to protect against malicious extensions, the researcher said.
Browser security extensions are not really trying to protect against malicious extensions and they wouldn’t be able to because by design they run with the same privileges as those extensions, Balazs said.
Balazs also tested Internet security suites from five top antivirus vendors that he declined to name. The level of protection they offered against malicious browser extensions varied from none to good.
One of the tested products detected and removed the researcher’s malicious Firefox extension, but he was able to bypass the detection signature by adding a single space character at a specific location in the extension’s code.
A product from a different vendor came with a “safe browser” feature that involved creating a clean Firefox profile with no extensions installed. However, once it had created the profile, it kept using the same one, which meant that a malicious extension installed in the user’s regular browser profile could copy itself to the “safe browser” profile, Balazs said.
Balazs said a third vendor, asked in a forum if its product detects or blocks Firefox keylogging extension Xenotix KeylogX, replied there was no need because “browser add-ons are subject to the same sandbox the browser runs through.” The vendor recommended that users remove any suspicious extensions themselves, he said.
For Balazs, the answer highlights the poor understanding some vendors have of this type of threat, because Firefox doesn’t have a sandbox and malicious browser extensions can be installed silently by malware without users ever knowing.
Some other “safe browser” implementations, such as Avast’s SafeZone and Bitdefender’s Safepay, did block the installation of malicious extensions. These offerings are designed to give users a way to bank and shop securely online using a custom browser based on Chromium, the open source project behind Google Chrome, within a secure environment similar to a sandbox.
Even though Balazs didn’t find a way to install malicious extensions directly into the Avast SafeZone or Bitdefender Safepay browsers, he claims to have found a weakness that could allow an attacker to spy on traffic, even when users access HTTPS websites and their connection is encrypted.
If the victim’s primary browser is Firefox, the attacker could first use social engineering to trick the victim into installing a malicious extension. He could then use that extension to download and execute a piece of malware designed to change the system-wide Internet proxy settings and to install a rogue root CA certificate into the Windows certificate store.
Chromium, along with Internet Explorer, uses the system-wide proxy settings and certificate store, so an attacker could exploit this to pass all traffic from the Avast SafeZone or Bitdefender Safepay browsers though a proxy server he controls and perform man-in-the-middle interception using the new root CA certificate added to the system.
This attack would also bypass Chromium’s public-key pinning protection, which is supposed to detect whether the public keys used for the certificates of some popular websites such as Gmail or Paypal have been changed by a man-in-the-middle attacker, Balazs said.
The user will not receive any certificate warnings inside the browser because Chromium allows user-installed root CAs to override pins, a design decision explained by Google software engineer Adam Langley in a May 2011 blog post.
Windows does show a security prompt when a new CA certificate is added to the certificate store, but the malware is able to automatically confirm the action, so the user doesn’t have to click anything.
A Bitdefender spokesman said Wednesday that “Safepay is designed as an additional layer of security to protect sensitive activities such as online banking or shopping. Although it has strong self protect mechanisms, Safepay is not a replacement for an AV [antivirus] product nor is promoted as such.”
The product performs a security assessment to identify active malware on the computer before the secure browsing session is initiated, but if malware previously infiltrated the system and installed a rogue root certificate there is a chance that the session could be compromised, the spokesman said. “Nevertheless, this scenario is plausible when users don’t have an antivirus product installed.”
“We have an ongoing project that aims to discover Safepay’s vulnerabilities in different scenarios (system or third-party related) and develop solutions to minimize the risks of compromised user sessions,” he said. “The assessment of installed certificates on the system is at the top of our list.”
Avast did not immediately provide a statement regarding this attack method.
Some security products recommended by banks to their customers and designed to prevent malware-related financial fraud were also found to lack protection against malicious browser extensions. Balazs tested six such products from different vendors, but only one blocked browser extensions in his tests.
Since then, a few more have added protection for this type of threat, but they use different approaches, he said. Some block all extensions while others detect only malicious ones, he said.
Balazs also tested Sandboxie, a program designed to isolate applications from the operating system by running them inside a sandboxed environment and preventing them from making permanent changes to other programs or data on the computer.
The product’s website says that “running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded trivially.”
However, that only stops a rogue browser extension within Sandboxie from writing to local storage outside the sandbox. It can still log keystrokes and store them within the sandbox, capture images with the computer’s webcam, or steal passwords and authentication cookies stored in the browser, the researcher said.
In general, malicious Firefox extensions can modify the settings of other extensions or the browser itself, but they can also indirectly modify the source files of installed extensions by downloading and executing a piece of malware designed to do this when the browser is closed, Balazs said. (The source files are locked while the browser is running.)
During a presentation Saturday at the Hacker Halted USA 2013 security conference, Balazs demonstrated how malware can insert backdoors into legitimate extensions and the effects this can have on the user’s security. For his demonstration he backdoored the LastPass extension for Firefox.
LastPass is a password management service that uses a browser extension to automate form filling and website authentication. This allows users to have strong, separate passwords for all online services they use, while remembering only one master password that unlocks their encrypted password vault.
For increased security, LastPass supports two-factor authentication using the master password and one-time codes generated by physical YubiKey USB authentication devices or mobile applications such as Google Authenticator, Toopher and Duo Security.
LastPass claims on its website that it protects users against phishing scams, online fraud, and malware — in particular key loggers. However, according to Balazs, the extension can’t protect users against malware like financial Trojan programs that hook into the browser process, against other malicious browser extensions, or against local modifications of its own code.
Balazs’ demonstration at Hacker Halted showed how a piece of malware could modify the code of the LastPass extension installed in Firefox so that it sends the user’s master password and a YubiKey authentication code to an attacker, who could then use the information to access the user’s password vault.
He released his proof-of-concept code for backdooring the LastPass extension on GitHub and said that developing it only took two hours.
Most of Balazs’ recent research focused on Firefox because it’s easier to trick users into installing malicious extensions in this browser by using social engineering. Unlike Firefox, Chrome only allows the installation of extensions from the official Chrome Web Store repository and not from third-party websites, which makes it harder for attackers to distribute malicious extensions.