This article originally appeared on January 27, 2020.
After discovering a wide pattern of potentially malicious behavior in browser extensions, the two search giants are cracking down.
Both the Google Chrome and Mozilla Firefox teams are cracking down on web browser extensions that steal user data and execute remote code, among other bad actions.
Browser extensions are add-ons that users can install to enhance their web surfing experience – they offer the ability to do everything from setting a special search wallpaper to displaying continuous weather data to language translation. This group also includes things such as ad blockers and security scanning.
While extensions are useful, they can also introduce danger. In addition to intentionally malicious browser extensions that compromise users, legitimate offerings are also common targets for cybercriminals who look to exploit vulnerabilities in their code.
Google Bans Paid Extensions
In this case, Google said that after becoming aware of a widespread pattern of pernicious behavior on the part of a large number of Chrome extensions, it has disabled extensions that contain a monetary component – those that are paid for, offer in-browser transactions and those that offer subscription services. It’s a temporary measure, according to the internet giant – but one that doesn’t yet have a timeline for resolution.
“Earlier this month the Chrome Web Store team detected a significant increase in the number of fraudulent transactions involving paid Chrome extensions that aim to exploit users,” it said in a notice, issued Friday. “Due to the scale of this abuse, we have temporarily disabled publishing paid items. This is a temporary measure meant to stem this influx as we look for long-term solutions to address the broader pattern of abuse.”
The notice added, “We are working to resolve this as quickly as possible, but we do not have a resolution timeline at the moment. Apologies for the inconvenience.”
Rejections will carry a “Spam and Placement in the Store” tag, the Google team told developers. Rejections can be appealed and will be reviewed, it noted.
The impact could be minimal. According to data from Extension Monitor published mid-2019, there are about 188,000 extensions in the Chrome Web Store, out of which only about 9 percent (16,718) fall into the paid category. Paid add-ons also account for less than 2.6 percent of the more than 1 billion total extension installs logged in the research. The top five paid extensions make up about half (48.5 percent) of that number, with IE Tab dominating at 4.1 million installs (31.5 percent). About 35 percent of paid extensions (5,885) don’t have any users at all.
Mozilla Cleans House
Mozilla meanwhile has taken a more case-by-case tack, disabling 197 Firefox add-ons in total for a range of improper activity, as first reported by ZDnet. This includes remote code-execution and harvesting user data. The add-ons have not only been removed from the official Mozilla Add-on (AMO) portal, but have been disabled in the browsers of existing installs.
The disabled apps include a whopping 129 extensions from 2Ring, which offers extensions and add-ons that provide business-to-business functionality for unified communications and contact centers. It’s a Cisco Preferred Partner, and it says on its website that it has “a roadmap aligned with Cisco’s collaboration portfolio and with solutions that their system engineers can deploy repeatedly and support with ease.”
Threatpost reached out to 2Ring for comment. Meanwhile, “I’ve reviewed the add-ons and confirmed they are executing remote code,” according to the bug tracker on the issue.
That’s not to say the extensions were intentionally malicious. Mozilla’s policy is that extensions that dynamically fetch code from elsewhere, legitimate or otherwise, are in violation of its content security policy.
The blocked extensions uncovered by ZDnet also include six add-ons deemed to be executing remote code, which were developed by Tamo Junto Caixa. Tamo Junto is a banking entity that offers Brazilian microentrepreneurs online courses, video classes, articles and management tools.
Other browser extensions, like Rolimons Plus (an extension linked to the Roblox online multiplayer video game), was blocked for “collecting ancillary user data against our policies,” while others (unnamed in the bug ticket) were banned for “showing malicious behavior on third-party websites.” Still others, including three unnamed add-ons, were determined to be “fake premium products.”
As with Google Chrome, Mozilla developers are able to appeal the bans.
At least one researcher said that the actions are likely the fruit of heightened concerns and regulations around privacy, including the California Consumer Privacy Act (CCPA).
“In the post-CCPA/GDPR world, tech companies are paying greater attention to the risks that software poses to users,” said Mike Bittner, associate director of Digital Security and Operations for The Media Trust, via email. “Much of the risks stem from having no control over what impact code will have on the security and privacy of user personal data. Until tech companies know who’s running what code in the various components that make up extensions and other forms of software, the risk of fraud and theft will remain high, as will the risk of running afoul of these new privacy laws.”