Extensions can be malicious and pose a threat to your organization
Some extensions installed by millions of users have been found to steal or leak Personally Identifiable Information (PII), passwords or other secrets, take screenshots, act as a key logger, cause phishing, spamming and so on.
Don’t take my word for it!
“AUGUST 29, 2022
Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users
The users of the extensions are unaware of this functionality and the privacy risk of every site being visited being sent to the servers of the extension authors. ”
“AUGUST 16, 2022
• Throughout the first half of this year, 1,311,557 users tried to download malicious or unwanted extensions at least once, which is more than 70 percent of the number of users affected by the same threat throughout the whole of last year.
• From January 2020 to June 2022, more than 4.3 million unique users were attacked by adware hiding in browser extensions, which is approximately 70 percent of all users affected by malicious and unwanted add-ons.”
“FEBRUARY 2, 2021
Extension Drive-by-Installation
Now, malicious extensions are nothing new – there were a lot of analysis about such extensions and Google regularly removes dozens of them from Chrome Web Store, which is the place to go to in order to download extensions.
In this case, however, the attackers did not use Chrome Web Store but dropped the extension locally in a folder and loaded it directly from Chrome on a compromised workstation.”
These are just a few news about malicious extensions and their consequences from 2022 and 2021.
(See more at the bottom of the article)
What to do about it
My recommendation is clear:
Implement browser extension whitelisting!
With extension whitelisting, any extension is blocked, unless it is explicitly whitelisted.
But won’t that cause administrative overhead?
Yes, absolutely! You would need a process for approving extensions and whitelisting them.
But this should be held up against the threats, that your organization is facing, if users are allowed to install any browser extension.
The quotes in this article clearly shows, that users by the millions are installing browser extensions, that are a real threat to privacy and to organizations’ security.
How to do it
A path to switching to extension whitelisting should probably include:
Inventory
Building the initial whitelist
Creating a formal process for applying for the whitelisting of an extension
Testing on a subset of users
Informing the users
Implementation
For the inventory there are a few options
If you use Chrome Enterprise, there is an option for discovery of extensions in Chrome.
However, this is only for Chrome, not Edge or Firefox.
And it does not show you if an extension is known to be malicious.
Nirsoft also created a tool to make inventory per computer, and it will recognize both Chrome, Edge and Firefox extensions.
However, this doesn’t show you if an extension is known to be malicious either.
Or, if you like, you can use the script, I have provided here:
Avantia - Blog - Discover installed and potentially malicious browser extensions
This script will:
Enumerate all user profiles on the computer
Enumerate all extensions of all browser profiles in Edge and Chrome in all Windows user profiles
Gather information from the extensions' manifest.json
Gather extra information if needed and possible from the Google extensions web store
Check each extension against a list of known malicious extensions
(CREDITS: List of malicious extensions: https://github.com/mallorybowes/chrome-mal-ids)
Building the initial whitelist
Once you have an inventory of all installed extensions, it’s time to do some vetting.
Surely, any extension deemed malicious on the online list should be blocked.
You should also be very careful with ad-blockers, that are known to “piggyback” on renowned ad-blocker’s names or start out as legitimate extensions and later become malicious. (see example in the news-links at the bottom of the article)
You might also decide to not allow extensions, that have no business relevance.
However, some might add privacy value.
One example is Mozilla’s Firefox add-on “Facebook Container”.
This is an excellent add-on, that puts Facebook in a separate silo, so that Facebook cannot eavesdrop on, which websites you visit or searches you make. (I have no gains from recommending this add-on or affiliations with Mozilla 😉 I just really think it’s great)
After removing all those, that you are certain should be blocked, you should look into those, you are considering whitelisting.
How to implement extension whitelisting using Group Policy
Chrome:
Set ExtensionInstallBlockList to *
https://chromeenterprise.google/policies/#ExtensionInstallBlocklist
(Note: If you already have ExtensionInstallBlackList configured, be aware that this policy is deprecated, and you need to use ExtensionInstallBlockList instead)Define the explicitly whitelisted extensions in ExtensionInstallAllowList
https://chromeenterprise.google/policies/#ExtensionInstallAllowlist
Use the extension Id for each extension.
Edge
Option A:
Generate a JSON string with your extension settings, including Block All Extensions and adding the extension Ids of the allowed extensions.
This can be done using Microsoft’s ExtensionSettings Generator on GitHub.Add this JSON string to the Group Policy Setting Administrative Templates/Microsoft Edge/Extensions/Configure extension management settings
https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#extensionsettings
Or option B:
Set ExtensionInstallBlockList to *
https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#extensioninstallblocklistDefine the explicitly whitelisted extensions in ExtensionInstallAllowList
https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#extensioninstallallowlist
Use the extension Id for each extension.
Firefox:
Generate the extensions settings to be used by Group Policy in JSON format.
You can use my simple script for this:
Script to generate Firefox extension whitelisting configuration in JSON formatAdd this JSON string to the Group Policy Setting Extension Management
https://github.com/mozilla/policy-templates/blob/master/README.md#extensionsettings
You will find it in:
Administrative Templates/Mozilla/Firefox/Extensions/Extension Management
After implementing this, users will only be able to install extensions, that have been explicitly allowed.
Addendum: More news about malicious extensions
“DECEMBER 16, 2020
Malware hidden in at least 28 third party Google Chrome and Microsoft Edge extensions associated with some of the world’s most popular platforms.
The malware has the functionality to redirect user’s traffic to ads or phishing sites and to steal people’s personal data, such as birth dates, email addresses, and active devices. According to the app stores’ download numbers, around three million people may be affected worldwide.
The extensions which aid users in downloading videos from these platforms include Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock, and other browser extensions on the Google Chrome Browser, and some on Microsoft Edge Browser.
”
“OCTOBER 20, 2020
Adblocking extensions with more than 300,000 active users have been surreptitiously uploading user browsing data and tampering with users’ social media accounts thanks to malware its new owner introduced a few weeks ago”
“AUGUST 4, 2020:
80M People Scammed by Chrome Fake Ad Blockers”
“MAY/JUNE 2020
• In the past three months alone, we have harvested 111 malicious or fake Chrome extensions using GalComm domains for attacker command and control infrastructure and/or as loader pages for the extensions. These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc.
• To date, there have been at least 32,962,951 downloads of these malicious extensions—and this only accounts for the extensions that were live in the Chrome Web Store as of May 2020.”
“JULY 18, 2019
DataSpii (pronounced data-spy) denotes the catastrophic data leak that occurred via eight Chrome and Firefox browser extensions (see Table 1).
This leak exposed personal identifiable information (PII) and corporate information (CI) on an unprecedented scale, impacting millions of individuals. ”