PSA Check your browser extensions

There are some very serious attacks happening recently related to browser extensions especially those on Google Chrome. Malicious actors give very high sums to buy ownership of extensions, and they are then able to update the extensions how they want to all users instantly in some cases (auto update is both a blessing and a big danger). One of the major targets has been extensions used by the tech crowds likely due to the desire of stealing crypto currencies.

There have been updates which Google allowed to go through which basically allowed malicious extensions to read anything on any site you were logged into (visiting the site recently wouldn’t make a difference, bad extensions can ping sites themselves, what matters is having an active session), know where you are browsing from, know the content of the pages you visit, get cookies, get passwords if they are stored improperly in cookies, and do actions based on local session hijacking. If sites are not coded well (destroying sessions often such as banks do, requiring password confirmation to view certain information / do certain actions) then they can allow very bad actions to happen. Of course if you have a malicious extension installed just visiting a well coded site and interacting with it can give criminals enough to do anything else they want to do.

It is strongly recommended to go through your extensions and disable anything there that you don’t use anymore, only keep extensions that you really need and you know are very very high trust. And in the future think twice about installing any browser extensions which are black boxed with auto updates enabled.

Because of the way the attacks work it’s hard to get a warning that something is wrong unless you have a setup such as with Pi-hole running. If you recently got a notice that your browser disabled an extension because it was malware, then you probably got hit, and you need to diligently change passwords on important sites / logout of less important sites so the sessions are cleared. These kinds of criminals run many kinds of business such as selling likes on social media for big profit, so if you have something like Instagram logged in if you check your recent likes and see activity you know you didn’t do that’s a sign an extension you have installed is malicious.

Situations like these are an unfortunate lesson that walled gardens don’t keep you safe no matter how strict they are if the people managing them are incompetent. But they will also still be used as an excuse to enforce even stronger walled gardens on everyone.

14 Likes