Browser extension sales, updates pose hidden threat to enterprises – CyberScoop

Sometimes the simplest pieces of software can cause the most complex security headaches for organizations.
Browser extensions, which can be bought, sold and repurposed without warning, are a blind spot for organizations — ignored and often left unrecognized as a hidden threat.
John Tuckner, founder of the browser extension security company Secure Annex, recently demonstrated how quickly he bought and repurposed an extension to redirect traffic. For this experiment, Tuckner found and purchased an extension named “Website Blocker” for $50 and transferred ownership to himself in the Chrome Web Store for a $5 fee.
His experience underscores how difficult — “absolutely impossible,” he said — it is for browser extension users to know when ownership changes hands or extensions they use are repurposed for potentially malicious intent.
“A Chrome Web Store extension listing can say one thing, but once you install it, what’s actually in the code and what’s in the package that you install, that gets really tricky,” Tuckner said in an interview. “There’s a lot of gray area to declare if something is malicious or not.”
Once Tuckner gained ownership of the extension, he submitted an update to the Chrome Web Store and, hours later, pushed new code to the user base.
“Browser extension updates, by default, occur automatically and silently when a user’s browser detects a new version available in the Chrome Web Store,” he wrote in a blog post. “Only if new permissions are requested by the extension is the user ever notified or prompted.”
Google reviews browser extension updates, but the process and resources involved aren’t sufficient to keep up with every ownership and code review change, according to Tuckner. Google did not respond to a request for comment.
The change Tuckner made to the browser extension he purchased was harmless, but proved his point. By using the “declarativeNetRequest” API permission the extension was already approved for, Tuckner redirected traffic from a specific URL to a “Rickroll,” a meme of Rick Astley’s 1987 hit “Never Gonna Give You Up.”
Capabilities allowed within some permissions of browser extensions, such as “declarativeNetRequest,” are too broad, Tuckner said. “If I wanted to target a brand like an Office 365 login portal and redirect it to my login portal for phishing, that is all under the same permission that was already within the extension and already approved for use by Google.”
Most browser extension permissions involve a trade-off, balancing functionality with potential privacy concerns or malicious intent.
The tabs permission in browser extensions allows for tab management, but developers can also use that permission to take screenshots of potentially sensitive data and send that information to a third-party server. The cookies permission can access authentication data saved in the browser.
“If you’re stealing the browser data of an individual, maybe that’s fine. I don’t know, that’s a judgment call for any individual person,” Tuckner said. “But when you do it at a companywide scale, a lot of security teams don’t really understand or haven’t given enough thought to that potential risk.”
Owners of browser extensions with expansive privileges could ship code updates, repurposing their use to gather potentially sensitive data and sell that information to initial access groups or cybercriminals looking to target a specific organization, according to Tuckner.
“Once the data is essentially gathered and it goes off to a third party, you kind of lose sight of it,” he said.
While many businesses lock down the administrative rights on employees’ laptops and maintain a tight list of software approved for installation, they often overlook what’s happening in the browser. This effectively allows employees to install any browser extensions they want.
“It can be really enticing and really easy to install them,” Tuckner said. “It’s really hard to get them ripped out once that’s done.”
The post Browser extension sales, updates pose hidden threat to enterprises appeared first on CyberScoop.
–
Read More – CyberScoop