Extension APIs Can Steal Browser Data Through Malicious Websites

All of the big web browsers such as Chrome, Firefox and Opera, use extension APIs. They are developed to give the user greater browsing experience plus functionality not found on native browsers. However, a recent academic paper has highlighted possible flaws in these APIs.

Malicious Websites

One way that malicious websites can use extension APIs is by executing code within the browser. This code then enables the originator to steal sensitive information. Bookmarks, browsing history and even cookies can be accessed and leave the user vulnerable.

Online attackers can also use these extensions to hijack a users login sessions. This will enable them to gain access to sensitive data including emails, and social media profiles.

New Research

Access to users data via extension API’s was thought to be theoretical. However, an academic paper published by Dolière Francis Som­é found some anomalies. The paper was written by Som­é while conducting research at the Université Cote d’Azure and with the help of INRIA, a French research institute.

Som­é has created a tool that has tested over 78,000 extensions. He concentrated on the most popular including Chrome, Firefox and Opera.

Worrying Findings

Following his testing, Som­é identified 197 extensions that exposed API communication interfaces. This would allow malicious websites access to data stored on the user’s web browser. Som­é said the findings were surprising because only 15 of the extensions were developer tools. These extensions often have full control over the browser and would be easy to exploit.

Of the 197 extensions found, fewer than 55 percent had over 1,000 installs. However, 15 percent had installs totalling over 10,000.

Notifying Browser Vendors

Som­é has notified the browser vendors prior to going public with his findings. All of the vendors acknowledged the issues and stated they are taking action on those identified.

Both Opera and Firefox have removed all of the reported extensions. Chrome, on the other hand, is still in discussions about potential action including removal or fixing of the APIs.

Som­é has also created a tool that lets users test their extensions. Anyone can use the web-based tool by copying and pasting the extensions manifest.json file into it.

The tool can be found HERE

 

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients