Skip to Main Content

Bad-ons: Hazardous helpers

Download videos and music with one click, boost your surfing speeds, or block annoying ads. Firefox and Chrome are so popular because you can add smart new functions to these browsers in just a few clicks thanks to little extensions. But what many don’t know is that these add-ons are really risky.

If you install a browser extension, you’ll probably be jumping for joy about the cool new features and nice little extras you’ve added to your browser. But, what these little helpers get up to in the background is anyone’s guess. This is why we are only too happy to go installing them unsuspectingly and without a care in the world. Users trust the seemingly safe “official” download sites such as Firefox Add-ons or the Chrome Web Store. On top of this, users skip running any sort of a scan using an up-to-date virus scanner as they feel they’re perfectly safe. The result: With each add-on they welcome a guest into their home who can cunningly hide its true intentions. Let’s take Adblock Plus as an example. This popular ad blocker can read and change all the private information, such as the passwords you enter, on every site you visit. This is because Adblock Plus, just like many other add-ons, enjoys the same rights as the browser itself, making these capabilities the perfect gateway for password Trojans.

Mini apps with maxi rights

Add-ons are tricky little devils. As they’re “only” extensions to installed programs, they can be added with a single click – you don’t even need admin rights to install them. What’s more, the Windows Firewall doesn’t block them nor does a virus scanner analyze them because they’re an extension of a main program. Google seems to be fully aware of these facts, as ultimately the Chrome developer itself highlights that your privacy is at risk if add-ons are enabled. The browser only cuts the flow of juicy data to all the installed add-ons when in incognito mode, which is the mode you switch to when you want to surf anonymously. This suggests that when in normal browsing mode you run the risk of being spied on or may have already fallen victim to traps that exploit vulnerabilities in add-ons.

Just waiting for the day

Thankfully, so far such attacks have been few and far between. However, it is more than likely that cybercriminals will make increasing use of this opportunity sooner or later by dissecting a popular add-on which has extensive rights. Of particular interest is code written in the JavaScript programming language. In it, they look for a place that allows them to inject data. Once discovered, the code is manipulated. The hackers inject malicious code, which can be controlled remotely, via a fake domain that pretty much looks like the actual developer’s one. The bad-on is now good to go. They initially leave the script contained in the add-on in sleep mode so it lays dormant in the background and doesn’t get spotted. All that remains for the rogues is to spread the adulterated extension among the public such as in the form of a download from the internet. The cybercriminals then just need to wait a bit until as many users as possible have installed the extension before picking up where they left off – and “arming” the add-on. A few minutes is all it takes to start siphoning off countless logins. Once they’ve filled their sack with plunder, they disable the logging function again and cover their tracks.


Sights set on online banking

One thing’s for sure: The catch is worth it. Even high security standards like SSL or TLS would be ineffective, throwing the door open to hackers to get their hands on the logins for every single internet account. Online banking attacks are also a possibility. The add-on could route a TAN (transaction authentication number) to the criminals’ server instead of the bank. Armed with the login details and the TAN, nothing would stand in the way of a juicy wire transfer ending up in the gangsters’ account. Even the best security programs would face huge problems with this approach. This is because when a user logs in to an online service, if the Trojan is activated the login data is written in parallel to a central file – and this file can then be read straight away. Virus scanners are powerless in this regard as they don’t detect any sign of manipulation.

Protect yourself against bad-ons

Even if nothing is 100% secure, you can protect yourself in the following ways:

  • Install a browser like Opera which – it has all the important security add-ons already in place and is a safe choice.
  • Only install add-ons from safe download sites such as Firefox Add-ons or the Chrome Web Store.
  • Don’t go installing loads of extensions, limit them to only the key ones. If you don’t, you’ll not only go throttling performance but also increasing the risk of potential attacks.
  • If an installed add-on starts asking for new permissions, this should set off the alarm bells.
  • Have a good antivirus installed – just in case!

Otherwise it’s down to the browser developer to restrict add-ons’ access to only certain servers. This would prevent code crackers from being able to inject malicious code via third-party servers in the first place.

This post is also available in: GermanFrenchItalian