Chrome extensions: they see everything

Your handy adblocker, price tracker, or spell checker extension might be significantly risking your online safety. Oren Koren, Co-Founder of the cybersecurity firm Veriti, advised me to delete all Chrome extensions, and he’s not the only one. Four more cybersecurity researchers have similar opinions.

I recently came across the online tool for analyzing Chrome extensions. I spent some time on it and noticed that almost all popular extensions have one thing in common.

They all use the "chrome.webRequest" API, which is regarded as a "critical" risk. But what does that mean, and should I worry?

The answer, according to Koren: “You gave them access, so they can see everything.”

Extensions possess more powers than many regular apps on your devices. This means that files on a computer might not be safe from the spying eye.

The whole supply chain is vulnerable

According to Koren, even extensions that are considered safe can also be risky because of weak points in the whole supply chain. Millions of users might use the presumably safe extension, but if something goes wrong anywhere in its supply chain, users will also be affected.

“Everybody nowadays uses the ad-block extension, and it’s massively using the webRequest function. This function allows it to intercept five types of data,” Koren said.

  • http:// ­- risk of browsing data interception;
  • https:// - risk of encrypted browsing data interception;
  • ftp:// - risk of exposing login credentials and unauthorized file access (directory listing of the FTP server, username and password passed in the login stage, the ability to track and download files);
  • file:// - risk of disclosing sensitive local files or internal resources (specific internal or external file paths that only the owner has);
  • ws:// - risk for web services that can compromise an organization’s content

Basically, your adblocker can inspect all content you send over the web, collect FTP passwords, get a complete list of the files, and track the downloads.

Josh Amishav, Breachsense’s founder and CEO, adds that granting extension access to the "chrome.webRequest" API is a high-risk issue because it allows the extension to intercept, block, modify, or redirect web requests before they are sent or after they are received.

Extensions can exploit this to modify web requests and responses, allowing them to inject malicious content into websites and collect sensitive user data such as login credentials, browsing habits, and other personal information.

Developers may have only benign intentions. However, their extensions can be hacked, just like any application. For example, a prevalent application, CCleaner, once suffered an attack and left its users vulnerable. Vulnerabilities may also be discovered in developers' software frameworks, i.e., Electron or others.

“If you gain access through a supply chain, you may get user-sensitive files that should not be accessed from outside. You practically collect all the internal URLs,” Koren explained. “Accessing HTTP, FTP, customer data, or internal files is crazy.

Oren Koren

Many extensions are created with malicious intent already. The most dangerous are sideloaded extensions.

And thousands of rogue browser extensions lurk in official extension stores, which lures users into a fall sense of security, assuming that all of these available extensions have been carefully vetted and deemed safe, Patrick Harr, CEO of the cybersecurity company SlashNext, warns.

“It's like downloading an application from Google Play. Think, how many malicious applications are in Google Play? A lot. Because it just takes time to analyze,” Koren added.

Many businesses, including Google, have incentives to collect user data.

The ultimate goal for cybercriminals – to deploy ransomware

According to Harr, the broadest range of zero-hour attacks happen in the browser. Malicious URLs and exploits routinely evade legacy security solutions, leading to business disruption, financial loss, and customer trust.

“In the current threat landscape, malicious browser extensions are very common, especially as a tool for delivering ransomware. We usually think of ransomware as starting in a phishing email, which certainly is a leading point of origination, but bad actors are also skilled at leveraging malicious browser extensions to steal user credentials as a first step in their ultimate goal of deploying ransomware,” Harr said.

While attackers usually use the ‘chrome.webRequest’ API to inject viruses or lead users to phishing pages, according to Oleksii Yasynskyi, Engineering Manager of Malware Lab at Moonlock, some extensions can track user activities and be used for spying, collecting personal data.

“Potential consequences include theft of personal information, financial loss, system damage, and security compromise,” Yasynskyi warns.

He mentioned a few notable cases:

  • In 2021, researchers found a vulnerability in a popular Chrome extension designed to manage cryptocurrency wallets. This vulnerability allowed attackers to steal users' private keys and cryptocurrency. After the vulnerability was discovered, the developers issued an update, but this incident highlights the need to be careful with some types of extensions.
  • In 2019, several malicious Chrome extensions were used to intercept user logins on popular websites such as Facebook and Google.
  • In 2018, an extension was discovered that stole credit card data using the "chrome.webRequest" API for this.

No extensions for you, if you want to be safe and private

What should I, as a consumer, do?

“The first step is not to allow any extension to be able to get any content from ourselves. I know it's an extremely rough thing to say,” Koren said.

He would recommend secure browsing tools to ensure antivirus and firewall are enabled even for casual browsing.

If you really want to have your adblocker, translator, some strange GPT add-on, or price tracker, make sure it is from reputable developer, and verify what data it collects.

“Consumers do not need to download many extensions besides Grammarly, security, or ad-blockers. What would you do with that PDF converter? Download the PDF and convert it,” Koren argues. “You need to understand that your data is exposed. The company that owns the product has your data. Whether they want it or not.”

If the browser suddenly displays numerous ads, this may be the first sign of a rogue browser extension.

“If an extension asks for excessive or unnecessary permissions that seem unrelated to its intended functionality, it may be best to avoid it. Finally, regularly update all installed extensions to ensure you have the latest security patches and bug fixes,” Amishav concluded.

More from Cybernews

Meta GDPR data fines: the EU suffers, but Ireland keeps the money

Bitcoin could be in danger as quantum computing advances

Wall Street adopts new cyber rules, AI proposal

Google redesigns Play Store for larger screens

Google’s Chromebooks last just a few years, infuriating activists

Subscribe to our newsletter


prefix 9 months ago
And some security experts will also tell you of the dangers of malicious advertisements.

It really feels like Google is trying hard to push their manifest v3 changes lately.

I think the idea to uninstall all extensions is silly. I run one extension: a trusted ad blocker. Because ads are a bigger risk in my threat model than a single highly permissioned extension.

Google feels threatened by this, so they are pushing on this issue heavily. They don't care if folks get infected from malvertising.
Leave a Reply

Your email address will not be published. Required fields are markedmarked