Summary: A recent attack campaign has compromised over 25 browser extensions, affecting more than two million users, by injecting malicious code to steal credentials. Organizations are urged to assess their risk exposure and take protective measures against such threats.
Threat Actor: Unknown | unknown
Victim: Users of compromised extensions | users of compromised extensions
Key Point :
- Browser extensions are increasingly targeted due to extensive access permissions that can lead to severe data exposure.
- Extensions related to productivity, VPN, and AI were particularly targeted in this campaign.
- Phishing attacks on extension publishers in the Chrome Web Store facilitated the compromise of these extensions.
- Organizations must conduct audits, categorize extensions, and assess their risk to enhance security against such threats.
- Adaptive, risk-based enforcement policies should be applied to manage the security posture related to browser extensions.
News has been making headlines over the weekend of the extensive attack campaign targeting browser extensions and injecting them with malicious code to steal user credentials. Currently, over 25 extensions, with an install base of over two million users, have been found to be compromised, and customers are now working to figure out their exposure (LayerX, one of the companies involved in protecting against malicious extensions is offering a complimentary service to audit and remediate organizations’ exposure – to sign-up click here).
While this is not the first attack to target browser extensions, the scope and sophistication of this campaign are a significant step up in terms of the threats posed by browser extensions and the risks they pose to organizations.
Now that details of the attack have been publicized, users and organizations need to assess their risk exposure to this attack and to browser extensions in general. This article is aimed at helping organizations understand the risk posed by browser extensions, the implications of this attack, and actionable steps they can take to protect themselves (for an in-depth overview, see a detailed guide on protection against malicious browser extensions).
Browser Extensions Are the Soft Underbelly of Web Security
Browser extensions have become a ubiquitous part of the browsing experience, and many users often use such extensions to fix their spelling, find discount coupons, pin notes, and other productivity uses. However, most users don’t realize that browser extensions are routinely granted extensive access permissions that can lead to severe data exposure should those permissions fall into the wrong hands.
Common access permissions requested by extensions include access to sensitive user data such as cookies, identities, browsing data, text input, and more, which can lead to data exposure on the local endpoint and credential theft of user identities.
This is particularly a risk to organizations since many organizations do not control what browser extensions users install on their endpoints, and credential theft of a corporate account can lead to exposure and a data breach at the organizational level.
A New, More Dangerous Threat:
Although the fallout from this attack campaign is still unfolding, and compromised extensions are still being discovered, there are a number of takeaways that can already be noted:
- Browser Extensions are Becoming a Major Threat Surface. This campaign targeting multiple extensions demonstrates that hackers are taking notice of the extensive access granted to many permissions and the false sense of security that many users are operating under, and are explicitly targeting browser extensions as vehicles for data theft.
- GenAI, Productivity, and VPN Extensions Were Particularly Targeted: The list of impacted extensions indicates that extensions that deal with VPN, data processing (such as note-taking or data security, or AI-enabled extensions) were mainly targeted. It’s too early to tell whether this is because these extensions tend to be more popular (and therefore more appealing for an attacker in terms of reach), or due to the permissions that these extensions are granted that attackers want to exploit.
- Public Extensions in the Chrome Store are Exposed. It appears that extensions were compromised as a result of a phishing campaign targeting the publishers of browser extensions on the Chrome Web Store. The details on who to target were apparently collected from the Web Store itself, which includes details of the extension author, including their email address. While the Chrome Web Store is the best-known source for extensions, it is not the only one, and some enterprise-grade extensions are deployed directly.
How To Protect Your Organization:
While many users and organizations are not aware of the potential risks associated with browser extensions, there are a number of key actions they can take to protect themselves:
- Audit all extensions: Many organizations don’t have a full picture of all extensions that are installed in their environment. Many organization allow their users to use whichever browsers (or browsers) they wish to use, and install whatever extensions they want. However, without a full picture of all extensions on all browsers of all users, it is impossible to understand your organization’s threat surface. This is why a full audit of all browser extensions is a foundational requirement for protecting against malicious extensions.
- Categorize extensions: As this attack campaign – that primarily targeted productivity, VPN, and AI extensions – demonstrates, some extension categories are more susceptible to vulnerability than others. Part of this is the popularity of certain types of extensions that makes them appealing to attack because of their broad user base (such as various productivity extensions), and part of it is because of the permissions granted to such extensions, that hackers may wish to exploit (such as access to network and browsing data given to VPN extensions, for example). This is why categorizing extensions is a useful practice is assessing the browser extension security posture.
- Enumerate extension permissions: While understanding which extensions are installed in corporate environments is one side of the coin, the other side of the coin is understanding what those extensions can do. This is done by enumerating their precise access permissions and listing all the information they can potentially access.
- Assess extension risk: Once they understand what permissions they have installed on corporate endpoints and the information that these extensions can touch (via their permissions), organizations need to assess the risk posed by each individual extension. A holistic risk assessment should encompass both the permission scope of the extension (i.e., what it can do), as well as external parameters such as its reputation, popularity, publisher, install method, and more (i.e., how much we trust it). These parameters should be combined into a unified risk score for each extension.
- Apply adaptive, risk-based enforcement: Finally, taking into consideration all the information they have at hand, organizations should apply adaptive, risk-based enforcement policies tailored to their uses, needs and risk profile. They can define policies to block extensions that have certain permissions (e.g., access to cookies), or define more complex rules tailored to their specific use case (e.g., block AI and VPN extensions with a ‘High’ risk score).
While browser extensions offer many productivity benefits, they also expand organizations’ threat surface and risk of exposure. The recent attack campaign targeting browser extensions with malicious code should be a wake-up call for organizations to define their approach to protecting against malicious and compromised browser extensions.
Click here to download a comprehensive guide on protecting against malicious browser extensions to help organizations fully understand the threat, why existing solutions don’t provide adequate coverage, and how they can protect themselves.
Source: https://thehackernews.com/2024/12/when-good-extensions-go-bad-takeaways.html