Browser Extensions & PermissionsThe permissions are defined in the manifest.json file of the extension, with the “permissions” property, and they can allow access to almost everything that the browser can access, such as cookies or physical storage for example. Extensions can even allow the injection of scripts on other pages' DOMs, such as cryptocurrency miner code (for instance, the Droidclub Botnet). You can review the complete list of permissions for Chrome. After installing an extension, it’s always possible to view its permissions on the browser, as is shown in this image. In this example (Google Docs Offline), the extension can read and write to the user’s clipboard, which may be very attractive from an attacker perspective. Before installing an extension, make sure that you always confirm that it is downloaded from an official store, that it has a good reputation, and that the permissions that it requests are adequate for its functionality. Please also consider keeping some extensions disabled and only activate them when needed. If you’re developing an extension, make sure you only set the required permissions and don’t give it unnecessary access. This is an excellent example of the well-known Principle of Least Privilege.
Many Attack VectorsIt is common for extensions to use third-party scripts that are frequently loaded from their original source. This introduces a new attack vector, because if the third party is compromised, the extension is most likely compromised as well. Be very careful with the use of third-party scripts in your extensions. Access to third-party resources is often performed without SSL/TLS. This is also a vector for compromising the extension. If an attacker is able to intercept traffic between the user and the servers, they can use the cleartext HTTP communication to insert malicious scripts, and the browser loads them without warning the user. Another frequent privacy issue is the usage of Analytics tools that send data to third parties. That can include sensitive information such as Personally Identifiable Information (PII), social media usage, visited pages, and so on. Developers must avoid this kind of data leakage at any cost, especially with the recent data protection regulations, such as the General Data Protection Regulation (GDPR).
Real Case ScenariosSeveral vulnerabilities have been discovered in browser extensions. Cisco WebEx and LastPass extensions, for example, were vulnerable to Remote Code Execution. PBot, an adware written in Python, installs browser extensions in order to place ads on visited web pages, then redirects the user to other websites. The power of the extensions can put users at risk, either by the installation of extensions that have coding security bugs, by malicious campaigns deployed with phishing, or by malicious websites that lead the user to install evil extensions. Therefore, it is crucial to have security controls in place when developing an extension. Using application security testing tools can also help developers secure their code from the beginning.
We made several attempts in the last few months to contact Any.DO, but we did not get a response from them.
ConclusionKeep in mind that extensions are very powerful. They are without a doubt outstanding tools, but make sure you use them with caution and develop them with the following guidelines in mind:
- Follow the Principle of Least Privilege for permissions
- When possible, avoid third-party scripts
- When possible, avoid analytics tools
- Use SSL/TLS for all requests
- Follow Secure Coding Practices
- Use Application Security testing tools