Extensions have been a common staple to the modern browser, with some extensions such as AdBlock Plus receiving over half a million weekly downloads. Browsers place emphasis on their extension model being resistant to attacks from the perspective of malware being uploaded to their web store, as well as external website based attacks. One could then assume that a user’s safety is preserved as long as you download the extension from the browser’s official extension repository.
However, our study shows that this is not the case. We show that Chrome, Firefox and Firefox for Android are highly susceptible to their extensions being used for a malicious purpose. We enumerate the range of capabilities each extension model possesses and discuss the impact this has on a user’s privacy and browsing integrity. We found that Firefox and Firefox for Android users in particular should be more wary of malicious extensions compared to Chrome users, with some attacks affecting even the user’s OS file system.
In conjunction to our findings, we designed a simple botnet to control a vast network of malicious extensions and tested its feasibility by uploading a malicious extension to both Chrome and Firefox’s web stores (both extensions had the botnet remotely disabled so no reviewers could come to harm in using the extension, for ethical reasons). We found that both Firefox and Chrome’s web store checks are not sufficient in finding malicious extensions as both of our extensions were approved.
Our paper has been accepted for publication to the IEEE S&P Magazine, and a pre-print version is currently available at: https://arxiv.org/pdf/1709.09577.pdf