Google Chrome Extensions: 6 Security Facts

Malicious Chrome extensions, once they have a toehold on your computer, can wreak havoc via your browser. Understand the security implications.

Slideshow: Google Chrome 10 Boosts Performance, Management
(click image for larger view and for slideshow)
A recent crime campaign targeting Facebook users used a novel attack vector: malicious Chrome extensions.
The attack, which occurred in Brazil, caught our attention not because it asks the user to install a malicious extension, but because the malicious extension [is] hosted at the official [Google] Chrome Web Store, said Fabio Assolin, a security researcher at Kaspersky Lab, in a
blog post
. If the user clicks on Install aplicativo he will be redirected to the official store. The malicious extension presents itself as Adobe Flash Player, which is ironic, because Chrome not only includes a built-in version of the player, but also automatically updates it.
The existence of malicious Chrome extensions begs two questions: What can they do, and how can you stop them? Here are six related facts:
1. Extensions might spread Facebook attacks.
In the case of the fake Flash Player, the extension first downloads a script file, which can then pipe commands to the users Facebook profile, including having them like any page that the attacker designates. Attackers also can send any message they like via a users Facebook profile, such as creating a post with a malicious script, or inviting more people to install the malicious Chrome extension or--potentially--a
malicious Facebook application
.
[ One security problem you wont have to worry about with Firefox? See
Firefox Takes Privacy Lead With HTTPS By Default
. ]
2. Malicious extensions can be monetized.
Why would attackers bother with a malicious Chrome extension, or gaining access to peoples Facebook profiles? Youre probably asking yourself how the bad guys are turning this malicious scheme into money, said Assolin. Well, its easy: they have total control of the victims profile, so they created a service to sell Likes on Facebook, especially focused [on] companies that want to promote their profiles, gaining more fans and visibility.
3. Extensions offer JavaScript capabilities.
Facebook attacks notwithstanding, some security experts paint the overall Chrome information security situation in stark terms. Chrome extensions are evil, said Felix FX Lindner, head of
Recurity Labs
in Berlin, in his Apple Versus Google Client Platforms session at Black Hat Europe this month. Chrome extensions, if youve never done them, its almost like they were invented for banking Trojans, he said. Thats because the extensions can be used to rewrite anything thats in the browser, as well as to inject JavaScript. Historically, of course, an attacker would have to find a browser or Web application bug to exploit, then attempt to inject the JavaScript. Only now its built in, in Chrome, so its a lot more stable and better, said Lindner--at least for attackers.
4. Google ID offers security weak point.
How do attackers install malicious extensions? One thing you can do is just break into the Google account of a developer, said Lindner, and then replace a real extension with a malicious one. Within a few hours, the updated extension will typically be pushed to all active users. For such an attack to work, however, an attacker must first guess or steal a developers Google account username and password, and the account would have to be unprotected by
Googles free two-factor authentication
. But that authentication aside, a
dedicated attacker
could find ways to steal developer credentials.
5. Vet extensions thoroughly.
Google Chrome extensions wield enormous power. Once you have a malicious extension in your Chrome browser, youre pretty much [expletive deleted], Lindner said. For example, attackers can use a malicious extension to execute JavaScript, and the extension management dialog in Chrome is rendered in JavaScript. As a result, he said, an attacker can automatically install extensions, for example by creating JavaScript code that simply clicks yes for any do you want to install this? prompts.
6. Google does nuke malicious extensions.
In the case of the Facebook attack that served up a malicious Chrome extension, We reported this malicious extension to Google and they removed it quickly, said Kasperskys Assolin. But we noted the bad guys behind this malicious scheme are uploading new extensions regularly, in a cat-and-mouse game. To date, the extension appeared to have been installed by about 1,000 people, mostly in Brazil and Portugal.
With these potential security risks in mind, think twice before installing a Google Chrome extension, said Assolin.
The biggest threat to your companys most sensitive data may be the employee who has legitimate access to corporate databases but less-than-legitimate intentions. Follow our advice in our
Defend Data From Malicious Insiders
report to mitigate the risk. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Google Chrome Extensions: 6 Security Facts