Discover more from hrbrmstr's Daily Drop
Drop #205 (2023-02-22): Evil Extension Exposition
Nefariousness By The Numbers; Let's Build A Chrome Extension That Steals Everything; Hakari
I had a different post scheduled for today, but when I noticed that Matt Frisbie crafted a post on malicious browser extensions shortly after I encouraged use of yet-another browser extension, I felt compelled to change direction.
So, today, we talk a tad bit more about browser extensions.
First, by dropping some data on the prevalence of these malevolent augmentations. Then, by showing you how to build an insidiously evil one. However, we will close on a much less depressing note, since I try not to be one of “those” security folks who are just a killjoy all the time.
Nefariousness By The Numbers
Before we dig into this section, I need to let any non-cyber folks in on a little secret our industry keeps fairly well-hidden: there is virtually no objective data backing any “cyber” headlines you see, and there is almost no adherence to any “scientific method” for any of the vendor-related studies, claims, and reports you may come across.
Virtually every vendor report — including ones I've written or contributed to — has a bonkers bias problem. For publications I have been party to, I've worked pretty hard to ensure those biases are well-documented, but the same absolutely cannot be said for the vast majority of them.
Recently, an authentication technology startup produced a report on ransomware that did tons of harm by essentially suggesting ransomware was no big deal. Their flawed survey-based report concluded ransomware events were on steep decline (Narrator: “They aren't.”). They were just trying to capitalize on headline keywords to grab some attention in a challenging time for security startup funding.
Even some “legacy” vendors (i.e., the ones who have been around for a while) with real data from their massive platform telemetry often refuse to acknowledge they have measurement biases. After all, they're only measuring what their kit can see, which is usually dependent on where a given user operates from. Yet, this does not stop them from declaring definitive numbers and making broad “one size fits all” conclusions.
I realize “cyber” is not alone when it comes to problems like this, but you should take any headline-grabbing claims with a grain of salt, along with a healthy shake or twelve of skepticism.
Now that you are a bit more prepared to consume some vendor data, let's take a brief look at the state of things in extension land.
First, we tap into a 2020 report by DebugBear — NOTE that there is some raw data from DebugBear for 2021 as well — that counted ~137K “official” extensions for that year and ~130K for 2021. Those were point-in-time counts, but ~130K sounds like a believable number, and it's pretty straightforward to verify if one wants to do a short scraping exercise.
Google lets anyone with an honest Abe in their pocket set up shop in the Chrome Web Store. No, I mean it — literally anyone. So, it's not surprising some percentage of those extensions have ill intent. After all. Everywhere's Baltimore.
Kaspersky is one cyber vendor who did a recent-ish study of malicious browser extensions.
That article is paired with a cousin which talks more about the dangers in general.
Throughout the first half of this year, 1,311,557 users tried to download malicious or unwanted extensions at least once, which exceeds 70 percent of the number of users affected by the same threat throughout the whole of last year.
From January 2020 to June 2022, more than 4.3 million unique users were attacked by adware hiding in browser extensions, which is approximately 70 percent of all users impacted by malicious and unwanted add-ons.
The most common threat in the first half of 2022 was the WebSearch family of adware extensions, able to collect and analyze search queries and redirect users to affiliate links.
Suffice it to say:
Let's Build A Chrome Extension That Steals Everything
Matt Frisbie is a very talented developer and tech author with his very own Substack:
Yesterday-ish, Matt dropped a solid post that walks you through the mechanics of building a bad (read: evil) browser extension using the ground rules laid out by the ostensibly bulletproof Manifest v3.
Despite the technical nature of the subject, the post is very accessible and:
Explores the edges of what is possible with Chrome extensions
Demonstrates what you are exposed to if you aren’t careful with what you install
Just in case you think you are impervious:
You might be thinking “Matt, surely this doesn’t apply to me! I’m a savvy tech guru who is careful, fastidious, and obsequious. Nobody could ever pull one over on me.”
In that case, my obsequious friend, answer these questions:
Without looking, can you name more than half of the extensions you have installed right now?
Who maintains them? Is it the same entity that maintained it when you first installed? Are you sure?
Did you really scrutinize their permissions?
It is 100% worth your time today/this week.
How To Monitor An Extension For Bad Behavior
(This is an update to the original post after receiving a question from a reader.)
This is a pretty hard problem. An older USENIX paper [direct PDF] covers why (and not much has changed since 2014).
Now, you can set up a home/org-wide PiHole/Adguard server, but you're on the hook for trying to separate out all network calls from extension network calls. This is made more difficult since extensions have access to this, which means you can't easily fingerprint their requests, even if you intercept TLS.
If you start Chrome with:
--enable-extension-activity-logging, you can poke at each extension’s activity log. Good luck making that stick with all the users you need to care about though.
Installing this old Google extension debugging utility may help triage as well.
Since cyber talk can be a pretty big downer, why not let your mind wander away from that subject and into a fairly captivating puzzle game that will test your knowledge and information spelunking skills.
A decent chunk of the U.S. is in for a wallop of a storm. Hope everyone in harm's way can hunker down in a safe (and warm) space. ☮