You might think that browser extensions are all about helping you, the end-user. You’d be wrong.
Although certain extensions such as bookmarking tools, ad blockers, and translation add-ons undoubtedly provide a litany of benefits to the user, many seemingly innocent extensions have a much darker side – with the recent scandal around Hola VPN being a case in point.
Whether these are extensions that exploit vulnerabilities in other apps and websites, or simply supply a stream of information to the would-be hackers on their own, there is no question that you need to be increasingly vigilant about what you add to your browser.
How Widespread is the Problem?
Research late last year analysed more than 48,000 extensions in the Chrome store. Their results established that more than 4,700 were “suspicious”, and 130 were “malicious”. Although it went unnamed, the researchers claimed that one of those 130 had more than 5.5 million users.
At the time, Tyler Reguly, a security researcher and member of Tripwire’s Vulnerability and Exposure Research Team said, “Google Chrome plugins are, in many ways, like Android applications. They require excessive permissions without giving the end user any real understanding of what they are doing. In both cases, Google Chrome and Android, the issue lies with Google”.
Here are just a small sample of the browser extensions that can help hackers target their victims:
Marauders Map [sic] falls into the prior of the two aforementioned categories, in that it exploits the legitimate Facebook Messenger app to plot your friends’ locations on a map.
Of course, we all already knew that Facebook shares our location with friends, but you probably didn’t know how accurate the data is or how easy it is to extract and use. The extension was developed by a student in the US, so we’re not talking about highly complex code and algorithms – it’s something that anyone with a good level of coding ability, an inquisitive mind, and plenty of free time could have stumbled upon.
Reports suggest data can be extracted from as far back as 2013, though it will only work for friends who have location sharing enabled on their Facebook messages (the option is enabled by default on both Android and iOS).
If you’re the type of person who heavily moderates their Facebook friend list this is probably not something to be unduly concerned about, but if you habitually accept invites and have thousands of friends, some of whom you barely know, then you should consider your next steps carefully.
Using this app, it’s entirely possible that a hacker will be able to know (or ascertain based on past behavior) when you’re not at home, see what shops you frequent, and know who you spend most time with. This is clearly information that you should be keeping as private as possible for your own safety and security.
Hover Zoom falls into the second category mentioned at the start. It is directly monitoring your online behavior.
The principle behind the extension is both simple and appealing – it lets you browse image galleries on several popular websites (such as Reddit, Amazon, Pinterest, eBay, Facebook, etc) by hovering your mouse over the image and without clicking on the thumbnail itself.
Since its launch it has gone on to amass more than 1.1 million users.
What many of those users might not be aware of is that the extension is actively monitoring the online habits of the vast majority of them.
But how did this happen, and how are they allowed to get away with it?
Hover Zoom started life as an honest and independent extension that did exactly what it said it would and no more. However, as its popularity increased, so did its attractiveness to adware and malware companies.
It was bought out by one such company, and now has a long history of “bad behaviour” going back quite some time – the developers have been caught collecting online form data and selling your keystrokes in recent years.
They can get away with it because they disclose it on their description page. It says, “Hover Zoom requires that extension users grant Hover Zoom permission to collect browsing activity to be used internally and shared with third parties all for use on an anonymous and aggregated basis for research purposes“. In practice that means they track single webpage you visit and get paid for that data, while simultaneously placing adverts all over the sites you visit most regularly.
To sum up, more than one million people are being spied on by this extension alone.
BBC News Reader and Autocopy
The problem of extensions being sold and turned into trackers is not limited to Google Chrome.
The (unofficial) BBC News Reader on Firefox has also been discovered to be a guilty party, along with Autocopy – a tool which automatically copies selected text to the clipboard.
This provides users with an important lesson about third party extensions, apps, and websites. While the official apps of some services come in for (often legitimate) criticism for their approach to privacy and security, in reality they are at the mercy of their user base – a big enough outcry will force them to address concerns and amend their policies. Third party apps and extensions are normally not constrained by such consumer pressures – they can keep tracking you and selling your data, often without you even realising.
Use them at your peril.
No list of malicious extensions would be complete without Hola. Described by researchers as an “ideal platform for executing targeted cyberattacks“, the once much-loved free VPN service is now at the top of the list of “extensions to avoid”.
With 46 million users around the world, it is comfortably the biggest malicious extension in the Chrome Store.
The problem came to light after a forum owner who alleged that users of Hola had been unknowingly powering a botnet to conduct multiple attacks on his website. The developers then admitted that bandwidth from users of the free version of the extension was being sold to cover operational costs.
In practice, this meant that each user became an end point for the network, each of which could be exploited by hackers and attackers.
Hola’s founder defended his company as innovators, saying “We innovated quickly, but it looks like Steve Jobs was right. We made some mistakes, and now we’re going to fix them, fast” – but that will be of little consolation to compromised users.
How Do You Know if Your Extensions Are Malicious?
The most effective way of determining whether an extension is malicious is by using Shield For Chrome [No Longer Available] which, ironically, is another extension!
Once installed, it will automatically scan all the extensions in your browser and let you know if any of them are on its blacklist. You can then delete any offenders.
It also has some additional useful features; for example, it will show you the permissions that each extension currently has, monitor future installations and website behavior for any malicious activity, and soon it will have the ability to notify you if the ownership of the extension changes or if the extensions starts to behave oddly.
You could also check out Extension Defender [No Longer Available]. It does a similar job to that of Shield For Chrome, but based on user comments it appears to flag less false positives.
Have You Been Caught Out?
Have you been burned by a malicious extension? What type of browser user are you – do you have hundreds of extensions you rarely use or do you keep your machine lean and mean?
Perhaps you know about a malicious extension that we missed?
Whatever you situation we’d love to hear from you. Let us know your thoughts, feedback, and opinions in the comments below.