All of the big web browsers such as Chrome, Firefox and Opera, use extension APIs. They are developed to give the user greater browsing experience plus functionality not found on native browsers. However, a recent academic paper has highlighted possible flaws in these APIs.
One way that malicious websites can use extension APIs is by executing code within the browser. This code then enables the originator to steal sensitive information. Bookmarks, browsing history and even cookies can be accessed and leave the user vulnerable.
Online attackers can also use these extensions to hijack a users login sessions. This will enable them to gain access to sensitive data including emails, and social media profiles.
Access to users data via extension API’s was thought to be theoretical. However, an academic paper published by Dolière Francis Somé found some anomalies. The paper was written by Somé while conducting research at the Université Cote d’Azure and with the help of INRIA, a French research institute.
Somé has created a tool that has tested over 78,000 extensions. He concentrated on the most popular including Chrome, Firefox and Opera.
Following his testing, Somé identified 197 extensions that exposed API communication interfaces. This would allow malicious websites access to data stored on the user’s web browser. Somé said the findings were surprising because only 15 of the extensions were developer tools. These extensions often have full control over the browser and would be easy to exploit.
Of the 197 extensions found, fewer than 55 percent had over 1,000 installs. However, 15 percent had installs totalling over 10,000.
Notifying Browser Vendors
Somé has notified the browser vendors prior to going public with his findings. All of the vendors acknowledged the issues and stated they are taking action on those identified.
Both Opera and Firefox have removed all of the reported extensions. Chrome, on the other hand, is still in discussions about potential action including removal or fixing of the APIs.
Somé has also created a tool that lets users test their extensions. Anyone can use the web-based tool by copying and pasting the extensions manifest.json file into it.
The tool can be found HERE