Why to be concerned about Browser Extensions?
I don’t care about the tech stuff skip to the safety recommendations.
Imagine you have an online kitchen store
In this store, you have some JavaScript for all your kitchen-y stuff, like spatulas and stuff. For anything that’s risky, like handling credit-cards for customer payments you use a 3rd party like Adyen, PayPal or Stripe. To do this, they recommend putting it in an inline frame (iframe) and this also allows you to wrap that content in a content security policy (CSP).
You would add the CSP mostly to ensure that even if there’s some scary code that can get into that iframe, it can only send data to the payment site’s hostname, so any credit card numbers that a customer puts in there are safe from being sent to the wrong place.
Ok, so what’s bad?
- While a website (your kitchen store) can control where the iframe can send data, by design Browser Extensions are EXEMPT from this policy!!
- The extension’s content scripts can be loaded into any and all frames in the browser with simple bit of seemingly-innocuous config:
{ ... "all_frames": true, ... }
-
Through the combination of content-scripts being injected into all frames (above) and the concept of a background script (or now in Manifest-V3 service worker) security controls such as Same-Origin-Policy (SOP) do not apply to any of the extension’s JavaScript code.
This control usually helps protect from malicious script in a parent frame “DOM walking” into the child frame. A malicious extension may simply use the well-defined communication mechanism to exfiltrate any data a givencontent.js
scope has access to out tomalicious_backend.js
, and that background worker is then free to exfiltrate data from the browser to a domain of the attacker’s choosing :(N.B. if extension
content.js
scripts in two different frames need to communicate/coordinate with each other they can simply proxy through themalicious_backend.js
.
What do I do to protect myself?
Browser Users
Don’t use browser extensions. The only one you actually need is an adblocker, to achieve this without a Browser Extension here’s the recommendations (either would suffice):
- Use Brave Browser with its built-in adblocker (it’s Chromium under the hood anyway).
- Use a custom DNS resolver such as NextDNS or host it yourself on a pi-hole to drop the DNS for advertising domains.
Website Owners
Be aware that you can’t do anything to protect your customers from this threat. If they start reporting anomalous thefts and blaming you, at least add this discussion to your support troubleshooting list.
Btw you can’t enumerate the list of browser-extensions present for privacy reasons, I can attest after having exhaustively tried.
Browser Developers
Figure out a solution? I made some suggestions here that weren’t well received:
Time to use those brains and come up with a genius solution to this mess for consumers.
Some recent improvements
No, the problem is still here, a malicious browser extension can still steal any of your data, regardless of what the website does to help protect you. But there’s been a few changes that at least make the maliciousness more gauche and (theoretically) detectable by the AppStores. That being said, the 2018 announcement to ban obfuscation doesn’t seem to have made any difference, I flagged an app the other day using jscrambler the other day.
In Manifest V3 some safety changes have landed, such as not allowing remote script to execute in an extension!! I didn’t actually know that was allowed in V2… how was that ever thought to be a good idea from Chrome/Firefox store review perspective?!
Background Scripts are now replaced with Service Workers; however, no changes to where content scripts can be injected or adherence to CSP.