Malicious websites can exploit browser extension APIs to execute code within the browser and steal confidential information, such as bookmarks, browsing history and even user cookies.
The latter, an attacker can use to hijack a user's active login sessions and access confidential accounts, such as email inboxes, social media profiles or work-related accounts.
In addition, the same extension APIs can be abused to trigger the download of malicious files and store them on the user's device, and store and retrieve data in the permanent storage of an extension, data that can then be used to track users in the entire web.
These types of attacks are not theoretical, but they have been proven in an academic article published this month by Dolière Francis Somé, a researcher at the Université Côte d & # 39; Azur and INRIA, a French research institute.
Somé created a tool and tested more than 78,000 extensions of Chrome, Firefox and Opera. Through its efforts, it was able to identify 197 extensions that exposed the internal communication interfaces of the extension API to web applications, allowing malicious websites a direct path to the data stored in a user's browser, data that, under normal circumstances, only the extension's own code could have reached. (when the proper permits were obtained).
The French researcher says he was surprised by the results, since only 15 (7.61%) of the 197 extensions were developer tools, a category of extensions that generally have full control of what goes on in a browser, and would have been those that he hoped would be easier to exploit.
About 55 percent of all vulnerable extensions had fewer than 1,000 facilities, but more than 15 percent had more than 10,000.
Somé said he notified browser providers about his findings before publishing his work in early January.
"All suppliers recognized the problems," said Somé. "Firefox has removed all reported extensions, Opera has also removed all extensions, but 2 that can be exploited to activate downloads."
"Chrome also recognized the problem in the reported extensions, and we are still discussing with them the possible actions that should be taken: remove or fix the extensions," he said.
The researcher also created a tool that allows users to test if their extensions also contain vulnerable APIs that can be exploited by malicious websites. The tool is based on the web and is hosted on this page. To use it, users would have to copy and paste the contents of the manifest.json file of an extension.
A page with several demo videos is available here. More details about Somé's work are available in a research paper entitled "EmPoWeb: enhance web applications with browser extensions, "available for download in PDF format from here or here.
It would be very impractical to list all vulnerable extensions in this article. Readers can find the list of vulnerable extensions in the tables at the end of the research work linked above.
More browser coverage: