[German]Security researchers have found nearly 200 extensions for Google Chrome, Firefox or Opera that can be attacked by malicious websites. Maybe another opportunity to check, if you really need this stuff.
I don’t have any extensions here in Chrome anymore – in Firefox, which I only use for tests, there are a few add-ons (Facebook containers and a performance test for websites). Too often extensions have proven to be a root cause for trouble or a security risk.
Malicious Web pages can also use browser extension APIs to execute code in the browser and steal sensitive information such as bookmarks, browser history, and even user cookies. There have been several privacy scandals in the past, where the browser history was passed on to the developers of the extensions and then sold to data harvesters.
But an attacker could go further and use browser extensions to hijack sessions on email or other password-protected accounts and gain access to sensitive data in those user accounts. Even downloading malicious code via add-on would be possible.
Uncovered: 200 extensions affected
Dolière Francis Somé, a researcher at the Université Côte d’Azur and INRIA, a French research institute, has taken up this topic. He developed a tool and tested over 78,000 Chrome, Firefox and Opera extensions. He was able to identify 197 extensions that exposed internal API communication interfaces for web applications. This gave malicious websites direct access to the data stored in a user’s browser. In other words, this data could under normal circumstances only have been accessed by the extension’s own code (after the appropriate permissions had been obtained).
— Catalin Cimpanu (@campuscodi) 20. Januar 2019
The researcher has published a 19-page PDF document on the subject. Catalin Cimpanu points out the facts in the above tweet and has published an article with a summary at ZDNet.
This once again show that users can no longer trust on anything. The goal must be to limit the number of used tools and extensions to a minimum and be paranoid about new software. Or what’s your opinion?
Web of Trust harvesting and selling user’s surfing data
Firefox addon Web Security transfers private data
100.000+ systems infected by Chrome extensions
Chrome extension for Mega hacked
Browser Add-On Stylish for Chrome/Firefox banned