Google Chrome is regarded as the most secure browser as well, owing partly to the effectiveness of its sandbox (which prevents unverified content from being downloaded into end users’ devices) and the rapid availability of security patches.
Reports from NetmarketShare show that Chrome has about a 61% share of the global internet browser market, with its nearest rival Internet Explorer, holding approximately a 12% share. Firefox’s market share is just under 12% while Microsoft’s new browser, Edge, clings to about 4 percent of the market.
Chrome: still the most secure browser?
Chrome’s reputation as the most secure internet browser was called into question when four malicious extensions were discovered on its official Web Store. Although Google has removed the extensions, the presence of this threat highlights a key weakness within its framework.
To prevent the download of malicious extensions which might pose a threat to end-user systems, users should not install extensions unless they provide a proven benefit. Even then, the extension’s code and its behavior should be researched and analyzed with care.
Nonetheless, due to the general positive perception of Chrome security, many users completely trust extensions found on the Web Store and install them without sufficient due diligence. However, this confidence was shaken when researchers from ICEBRG, a US security firm, detected an unusual surge in outbound network traffic from a workstation.
ICEBRG discovered that the surge was caused by HTTP Request Header, an extension on the Chrome browser, which used the workstation to stealthily visit ad-related web links. It was soon discovered that three other extensions on the Chrome Web Store – Lite bookmarks, Stickies, and Nyoogle followed suit.
ICEBRG suspected that the extensions were used as a click-fraud scam meant to generate revenue from per-click rewards. However, its researchers noted that the malicious extensions could have been used for more sinister purposes such as spying on organizations’ networks and end-user systems where they were installed.
This wasn’t the first time malicious extensions have been discovered on Chrome’s Web Store. Unknown attackers had previously compromised the accounts of at least two extension developers on the Chrome platform and used the unauthorized access to install extension updates which injected ads onto the websites that users visited.
Visit Innovation Enterprise's DATAx Shanghai on September 5–6, 2018
Chrome extensions: a viable threat vector
End users use browsers to access shopping, healthcare, banking, cloud-based file sharing, and email. In the process, their personal information (such as passwords, account numbers, credit card numbers, etc.) is exposed to the browser as well as to scripts running on web pages.
Weak browser security combined with the powerful, invasive nature of extensions can allow attackers to commit various types of cyber-crimes with access to a wide range of private data and computer resources.
Since extensions have access to all the web pages visited by users, they can do almost anything. Aside from inserting ads into visited web pages, some add-ons could function as keyloggers to capture credit card details and passwords, redirect search traffic, or track victim activity.
Malicious extensions: designed to appear innocuous
Earlier this year, there were other add-ons, nicknamed Droidclub, discovered by Trend Micro’s security experts.
Uploaded to the official Chrome Web Store and downloaded by over 420,000 users, this family of add-ons was designed to appear innocent, but they could replay and record every keystroke, scroll, and mouse click users performed on all visited websites using Chrome browsers and share them with the extensions’ developers.
Extensions as crypto-jacking malware
The Droidclub extensions could also be used to crypto-jack end users’ systems and use their computing power to surreptitiously mine for Monero. This is of major concern to organizations since crypto-jacking increases CPU usage, leading to systems overheating and a decrease in device lifespan. Once installed on end users’ devices, the Droidclub apps can make it very difficult for users to either report them as malicious or delete them.
Low acceptance standards on chrome’s web store
Although Google has since removed this batch of malicious extensions from the Chrome Web Store, its acceptance standards are still relatively low. As such, it’s likely that cybercriminals may continue to use this attack vector to launch attacks via browser extensions.
Preventing malicious extensions from attacking your network
As such, organizations must educate their users on how to identify fake and malicious extensions. Due diligence before downloading should include:
- Reading through the add-ons’ descriptions (to ensure they are not suspicious)
- Verifying developers’ credibility
- Understanding exactly what the add-on does and the type of permissions it requires
For instance, an add-on that is described as an ad blocker but requests permission to access emails is definitely up to no good.
An additional layer of protection is needed
Although the above measures can be a good strategy to preempt threats rising from such attack vectors, they are prone to human error and thus, not enough. The most effective way to prevent rogue extensions from breaching your organization’s endpoint systems is to leverage container-based virtual browsers.
With a remote browser isolation solution, all browser-executable code is isolated in a virtual browser within a disposable container hosted outside of the network. Website code never touches the end-point and can do no harm.
At the end of each browsing session, the containers are destroyed, along with the virtual browser and all content - benign, infected, or malicious. This effectively prevents dangerous code present on malicious add-ons from executing and carrying out their bad intentions. The result is that your users can browse and use Chrome extensions securely, without putting their data or devices at risk.