Malicious websites may exploit browser extension APIs to execute code in the browser and steal sensitive information such as bookmarks, browsing history and even cookies from users.
The latter, which an attacker can use to hack the active login sessions of a user and access sensitive accounts, such as email inboxes, social network profiles or accounts related to the job.
In addition, the same extension APIs can also be used to trigger the download of malicious files and store them on the user device, as well as to store and retrieve data in the permanent storage of an extension, data can then be used to track users on the web.
This type of attack is not theoretical, but has been proven in a scientific article published this month by Dolière Francis Somé, researcher at the Côte d'Azur University and at INRIA, a French research institute.
Somé has created a tool and tested more than 78,000 extensions for Chrome, Firefox and Opera. Through his efforts, he was able to identify 197 extensions exposing the communication interfaces of internal extension APIs to web applications, thus giving malicious websites direct access to data stored in a user's browser, data that under normal circumstances, only the code of the extension could have reached. (when the appropriate authorizations have been obtained).
The French researcher is surprised by the results, 15 of the 197 extensions available (7.61%) are development tools, a category of extensions that generally controls everything that happens in a browser. expected were easier to exploit.
About 55% of all vulnerable extensions had fewer than 1,000 facilities, but more than 15% had more than 10,000.
Somé said that he informed the sailors' editors about his discoveries before making his work public in early January.
"All suppliers have acknowledged the problems," said Somé. "Firefox has removed all reported extensions, Opera has also removed all but 2 extensions that could be exploited to trigger downloads."
"Chrome has also recognized the problem in reported extensions, and we are still discussing with them potential actions to take: remove or repair extensions," he said.
The researcher has also created a tool for users to check if their extensions also contain vulnerable APIs that can be exploited by malicious websites. The tool is web-based and hosted on this page. To use it, users should copy-paste the contents of the manifest.json file to an extension.
A page listing various demo videos is available here. More details about Somé's work are available in a research article titled "EmPoWeb: Empowering Web Applications with Browser Extensions, "available for download in PDF here or here.
It would be very impractical to list all the vulnerable extensions of this article. Readers can find the list of vulnerable extensions in tables at the end of the related research papers above.