Online criminals are on the prowl again. Between January and March 2018 alone, they infected more than 100,000 computers through browser extensions, stole login credentials, mined cryptocurrencies and engaged in click fraud. The malicious extensions were hosted in Google’s official Chrome Web Store, only the Internet’s most popular web browser today. Much like a vampire, malicious extensions and 3rd party connectors to popular web browsers and online applications (Slack, Office 365, Google Apps, Chrome, Firefox, and Edge) are usually invited in (by you), across the threshold, and given rights to your data, and sometimes even rights to manipulate your data. While often well intentioned, many do not realize the implications of what they’ve just agreed to.
Only from trusted sources, right?
The source of the browser extension may not matter. You’d think that anything listed in the official Chrome Web Store would be safe, but that’s not entirely true. In the last several months, malicious Chrome extensions have been found to steal credentials and alter website data on the fly. Even though extensions (and connectors) are provided via defined permissions that the end user has to accept, the end user may not fully understand what those permissions mean.
Many extensions request rights that can be used to alter your bookmarks and literally change website data on any and all websites you visit. These rights could be used to simply change the look of a website, add functionality, or to change every link you click to something malicious. Although browser extensions offer a convenient way to customize your browser, the ones with malicious intent could steal and misuse personal data. After all, why would you not trust an extension that runs as part of a trusted browser, right?
3rd party connectors that ask for full rights such as the ability to read, send, and manage your email might be required to allow the app to work with an online set of applications like Office 365 through established APIs, but these rights also allow connectors to read, send, and manage your email. Yes, all of it. If your email is full of corporate sensitive data, you are giving a substantial amount of trust to a 3rd party. While it is usually in the best interest of a company to play by the rules and not abuse that trust, that has no bearing with the bad guys.
Put a stake in it!
Really think about the need for a browser extension that gives you a calculator app, but also wants to view all your website data. Although Google will eventually get rid of the bad guys, the constant success malicious attackers have been able to enjoy, sadly, will continue. As technology gets more advanced, attackers will find new ways to steal and misuse stolen data. Therefore, the onus of protecting your data lies entirely on you.
Only grant permissions to extensions and connectors that you really trust. Read descriptions, reviews and find out more about the developer. Keep in mind, that when you grant these permissions, it may lead to a situation where you inadvertently leak corporate data to 3rd parties and be in violation of your corporate security policies. Review your extensions and connectors regularly and evaluate if there is a real need for them.
Given the regular success that attackers enjoying through these malicious extensions it wouldn’t be surprising to see more strikes in the future. So, stay alert, and stay careful!
Synoptek focuses on security as well as digital growth and innovation within its managed services offerings. Contact Synoptek for more information on how to stay safe.
About the Author
Synoptek is an established firm that provides information systems consulting and IT management services. Synoptek and its predecessors have been providing these services for 23 years.