This is another interesting month for Google’s 3 billion Chrome users, with a U.S. government mandate to update all browsers by June 26 and another update warning this week as further vulnerabilities are discovered. But there’s a very different Chrome threat to your PC, and it’s much more difficult to find and fix.
Already this month we have been warned by LayerX that “a network of malicious sleeper agent extensions” are “waiting for their ‘marching order’ to execute malicious code on unsuspecting users’ computers.” A huge number of Chrome users have at least one extension installed, which is one of the browser’s biggest security risks.
Now Symantec warns that some of the most popular extensions it has analyzed, “expose information such as browsing domains, machine IDs, OS details, usage analytics, and more.” The research team says “many users assume that popular Chrome extensions adhere to strong security practices,” but that’s just not the case.
Symantec found that even some big-brand extensions “unintentionally transmit sensitive data over simple HTTP. By doing so, they expose browsing domains, machine IDs, operating system details, usage analytics, and even uninstall information.” Most Windows PC owners use Chrome and extensions, meaning this threat is huge.
More alarmingly, “because the traffic is unencrypted, a Man-in-the-Middle (MITM) attacker on the same network can intercept and, in some cases, even modify this data, leading to far more dangerous scenarios than simple eavesdropping.”
Bugcrowd’s Trey Ford told me “this is a very common way to compromise browsers for various outcomes, ranging from stealing credentials and spying on users, to simply establishing ways to very uniquely identify and track users across the internet. Ultimately this can manifest as a form of malware, and unavoidably create new attack surface for miscreants to attack and compromise a very secure browsing experience.”
There’s no easy answer to this one. Symantec says that while “none of [the extensions] appear to leak direct passwords,” the data can still fuel attacks. “The risk is not just theoretical; unencrypted traffic is simple to capture, and the data can be used for profiling, phishing, or other targeted attacks.”
Symantec notified the developers behind the tested extensions (details in its report.) “The overarching lesson,” the team says, “is that a large install base or a well-known brand does not necessarily ensure best practices around encryption. Extensions should be scrutinized for the protocols they use and the data they share.”
According to Keeper Security’s Patrick Tiquet, “this highlights a critical gap in extension security,” if and when “developers cut corners.” He warns that “transmitting data over unencrypted HTTP and hard-coding secrets exposes users to profiling, phishing and adversary-in-the-middle attacks – especially on unsecured networks.”
The risk is especially acute for enterprises. “Organizations should take immediate action by enforcing strict controls around browser extension usage, managing secrets securely and monitoring for suspicious behavior across endpoints. Just because a browser extension is very popular and has a large user base doesn’t mean it’s secure. Businesses must scrutinize all browser extensions to protect sensitive data and identities.”
