As we continue into the 21st century it is becoming more and more apparent that future conflicts will play out on the digital battleground as much as they do in the real world. Russia’s assault on Ukraine was preceded by massive cyber-attacks, and the FBI in mid-March alerted multiple energy and infrastructure organizations here in the US that their networks were scanned by Russian IP addresses, a potential prelude to a large-scale cyberattack. Around the same time, President Biden warned the private sector of the threat, urging businesses to “harden your cyber defenses immediately.

Many of our blog posts are prompted by news stories like these. It’s easy to look at the news and see cybersecurity as a big picture, top-down problem. But the topic of today’s post found us and is a great reminder that cybersecurity isn’t just a concern for governments and critical infrastructure organizations. Many vulnerabilities and intrusions happen at the individual level, with a single user making a mistake that grants bad actors access to their data.

We recently encountered a malicious browser extension, so we thought it was time to bring this potential security risk to your attention. We’re going to talk about how malicious extensions work, and how you can protect your browser and secure your data.

Browser extensions: A Tool and a Threat

Browser extensions are add-ons to your web browser that you can download and activate. They’re small bits of software that are integrated within your web browser. Ad blockers, UI modifications, password managers, productivity and organization tools – thousands of options are available no matter which browser you choose. Chances are the browser you’re using right now has one or more active extensions at this very moment. They’re great for productivity, organization, and customizing your web browsing experience, but unfortunately these tools present a double edged sword. For all the good they do, they are not without risk.

Extensions open the door to intrusion

Web browsers are generally secure. The way the world works today requires that we put a lot of sensitive information into our web browser on an almost daily basis. Passwords, contact information, finances, personal identifiers like your birthday, address, social security number; all these things are put into the internet by hundreds of millions of people every single day. Debates will be eternally waged over which browser is the most secure, but all browsers receive regular security updates and are designed to help you protect your sensitive data.

But when you enable a browser extension you are granting 3rd party code permission to run in your web browser, bypassing that built-in security and telling your browser that “this code is safe.” But if that code isn’t safe, you’ve just let the fox into the henhouse.

Malicious extensions impact millions every year

Security researchers with Avast found that more than 3 million people fell victim to at least 28 malicious browser extensions in 2020, and that some of those extensions may have been active for years before they were discovered. When added to browsers, these extensions would download malware, hijack links, redirect users to phishing sites, and harvest user data. More recently, a browser extension called “Video Ad-Block, for Twitch” was found to be turning Amazon addresses into affiliate links. At the same time, the extension’s source code was made private after previously being publicly available.

We here at CBM Technology recently encountered a malicious extension, the inspiration behind this post. It is an email and contacts integration extension, a useful productivity tool on its surface. Then when you give it access to your inbox and contacts list, it scans the signatures of all of your emails and collects email addresses and phone numbers to sell to marketing lists. This extension has over 200,000 users on Chrome and if you send an email to any of them, your email signature and contact information may be collected. This is all explained in the privacy policy on their website, but how many of those users do you think read it before installing?

Protect your browser and your data

The only surefire way to keep the fox out of the henhouse is to keep the door closed, and disabling all extensions is the surefire way to protect your browser. If you absolutely do need to use extensions, here are some tips on how you can practice safe extension installs:

  • Read the terms of service and privacy policy
  • Research, read reviews, and look at the developer’s website
  • Only download extensions from the browser’s official app store
  • Look for extensions with publicly available source code
  • Avoid extensions that ask for unrelated permissions
  • Disable extensions that ask for new permissions without explaining why
  • Disable extensions you don’t use regularly

Of course, the best way to protect your browser and your data is to talk to a cybersecurity specialist. CBM offers SecurityCare+ for your business where we monitor for malicious browser extensions and other threats to your business. Click here to sign up for a free security assessment, and we will help you identify weak spots and build a plan to secure them.