Although the number of malicious browser extensions has significantly increased in the past year many security products fail to offer adequate protection against them, while others are simply not designed to do so, according to a security researcher.
Attackers have already used such extensions to perform click fraud by inserting rogue advertisements into websites or by hijacking search queries, but research has shown that this type of malware has the potential to cause much more damage.
Last year Zoltan Balazs, an IT security consultant with professional services firm Deloitte in Hungary, created a proof-of-concept malicious extension that could be controlled remotely by an attacker and could steal authentication credentials, hijack accounts, modify locally displayed Web pages, take screenshots through the computer's webcam, bypass two-factor authentication systems and even download and execute malicious files on a victim's computer.
And last week the European Union Agency for Network and Information Security (ENISA) warned in its midyear report: "An increase in malicious browser extensions has been registered, aimed at taking over social network accounts."
Earlier this year Balazs investigated how various security products protect users against malicious browser extensions and presented his findings at the OHM2013 security conference near Amsterdam in August. He performed tests against browser security extensions, sandboxing software, Internet security suites, anti-keylogging applications and financial fraud prevention programs recommended by some banks.
Many of these products either don't detect and block malicious extensions at all, or their protection can be bypassed, sometimes very easily, he found. Not all of the tested products claim to protect against malicious extensions, but Balazs said he tested them because some users might believe they do.
For example, the NoScript security extension for Mozilla Firefox is designed to block plug-in content from executing without user authorization, and also blocks some Web-based attacks such as cross-site scripting or clickjacking. However, it doesn't protect against malicious browser extensions or local malware, Balazs said.
BrowserProtect, another Firefox extension, claims to protect the browser against "homepage, search provider, extension, add-on, BHO and other hijacks." This extension also fails to protect against malicious extensions, the researcher said.
Browser security extensions are not really trying to protect against malicious extensions and they wouldn't be able to because by design they run with the same privileges as those extensions, Balazs said.
Balazs also tested Internet security suites from five top antivirus vendors that he declined to name. The level of protection they offered against malicious browser extensions varied from none to good. One of the tested products detected and removed the researcher's malicious Firefox extension, but he was able to bypass the detection signature by adding a single space character at a specific location in the extension's code.
A product from a different vendor came with a "safe browser" feature that involved creating a clean Firefox profile with no extensions installed. However, once it had created the profile, it kept using the same one, which meant that a malicious extension installed in the user's regular browser profile could copy itself to the "safe browser" profile, Balazs said.
Balazs said a third vendor, asked in a forum if its product detects or blocks Firefox keylogging extension Xenotix KeylogX, replied there was no need because "browser add-ons are subject to the same sandbox the browser runs through." The vendor recommended that users remove any suspicious extensions themselves, he said.
For Balazs, the answer highlights the poor understanding some vendors have of this type of threat, because Firefox doesn't have a sandbox and malicious browser extensions can be installed silently by malware without users ever knowing.
Some other "safe browser" implementations, such as Avast's SafeZone and Bitdefender's Safepay, did block the installation of malicious extensions. These offerings are designed to give users a way to bank and shop securely online using a custom browser based on Chromium, the open source project behind Google Chrome, within a secure environment similar to a sandbox.
Even though Balazs didn't find a way to install malicious extensions directly into the Avast SafeZone or Bitdefender Safepay browsers, he claims to have found a weakness that could allow an attacker to spy on traffic, even when users access HTTPS websites and their connection is encrypted.