To help users appreciate the dangers of web extensions, digital security company Talon has analyzed the Chrome Web Store to report that tens of thousands of extensions have access to worrying permissions, such as the ability to change data on all visited sites, download files, access download activity, and more. “Many popular extensions put users at risk,” co-founder and CTO of Talon Cyber Security Ohad Bobrov explained to Lifewire over email. “[Even] benign extensions may have vulnerabilities in their code, or supply chain, and can be susceptible to takeovers by malicious actors.”

Wayward Extensions

Talon argues that extensions offer great value to their users, and bring a host of useful features to the web browsers such as ad-blocking, spell checking, password management, and more. However, to bring these functionalities, the extensions require broad permissions to modify the browser, its behavior, and the visited websites.  “Naturally, this level of control and access from third-party actors can pose significant security and privacy threats to the users,” explained Talon. The company adds that despite Google’s vetting process, many malicious extensions manage to slip through the gaps and end up adversely impacting millions of users. Its analysis revealed that over 60% of all extensions on the Chrome Web Store have permissions to read or change user data and activity.  For instance, Talon says spelling and grammar checkers request permission to inject scripts that run from the context of the web page to analyze the user’s text. They do this usually by inspecting the input fields or logging the user’s keystrokes by other means. The company says this effectively allows the extensions to collect and exfiltrate any information on the web page, including passwords and other sensitive data. Then there’s ad-blocking, which makes up some of the Chrome Web Store’s top extensions. This functionality involves removing elements from the page and requires the same permissions as spell-checkers. Similarly, the permissions granted to screen-sharing, and video-conference extensions to do their intended task, can also be misused to capture the user’s screen and audio. “Two vulnerabilities were found in uBlock Origin in the last few months, which allowed attackers to exploit the extension’s permission to read and change data on all sites and to steal sensitive user information,” Bobrov told us.  “Ad blockers like uBlock Origin are extremely popular and typically have access to every page a user visits. Behind the scenes, they’re powered by community-provided filter lists - CSS selectors that dictate which elements to block. These lists are not entirely trusted, so they’re constrained to prevent malicious rules from stealing user data,” wrote security researcher Gareth Heyes as he demonstrated using vulnerabilities in the extension to steal passwords.  Bobrov also shared that in 2019 the popular The Great Suspender extension, which had over two million users, was purchased by a malicious actor, who went on to exploit its permissions to inject scripts to run unreviewed, remotely-hosted code in web pages. “It’s unknown what data was exfiltrated,” he said, “but it could’ve potentially stolen anything from any page, including passwords.”

No Real Solution

Bobrov says that Chrome and virtually all other leading web browsers are working to contain the security risk posed by extensions, not just by improving their vetting process but also by limiting some of the extensions’ capabilities. One such recent step Bobrov points out is Google’s Manifest V3. He says that for the average user, the most noticeable difference Manifest V3 would bring to extensions is a complete ban on remotely hosted code and a shift in the way extensions modify web requests. However, he adds that on the downside, Manifest V3 has been criticized for severely hampering ad-blockers.   “The most significant trends are closing security gaps, increasing end-user visibility and control (e.g., which sites allow extensions to run), and banning unreviewable code from extensions,” Bobrov said. “Some of these changes are encompassed in Google’s Manifest V3. However, none of these changes dramatically alter the permissions available to extensions. "