Extension security and add-on stores

Posted

My colleague Felix Dahlke wrote up a rather simplistic blog post on malicious extensions. I wanted to write a more extensive blog post on the topic, without any simplifications. In fact, what you can do to avoid installing malicious extensions depends largely on your browser so I will go into the details for all browsers below.

Should I be careful when installing extensions?

Yes, absolutely. Installing an extension is always a matter of trust, you have to be sure that the extension does exactly what it claims to do — otherwise you might eventually discover that the extension you installed has some non-obvious “features” (or worse: you might not even notice). However, the amount of harm such a malicious extension can do depends on your browser:

  • Internet Explorer: extensions are typically installed with administrator privileges, this can give a malicious extension full access to your computer. It might even disable anti-virus software that you have installed. Essentially, it is exactly the same as with any application you install.
  • Firefox: extensions can do pretty much everything that Firefox can do, essentially they get the privileges of the user account that Firefox is running under. Normally this won’t be the administrator account so taking over the system completely won’t be possible. Still, a malicious extension could read out all your data, including files on disk, browsing history and passwords stored in Firefox.
  • Chrome, Opera and Safari: these browsers run extensions in a sandbox which somewhat reduces the potential for abuse (and along with it the potential for great extensions). Still, a malicious extension could spy on your browsing behavior or intercept passwords as they are being entered. It could inject unwanted content into webpages, typically this would be ads that the extension author gets paid for. Note that looking at the permissions an extension requests isn’t very helpful: lots of extensions request access to all websites, simply because they need to do something useful with them.

What about add-on stores, can the extensions there be trusted?

The answer here is: it depends. Let’s look at this for each browser:

  • Internet Explorer: Microsoft provides an Internet Explorer Gallery. However, what you get there is essentially a link, Microsoft doesn’t verify the content you get there. Even if the gallery would host the content itself, establishing a review process would be pretty impossible given the Internet Explorer extensions are always compiled. Note that some websites like Softpedia will claim to have verified that the extension contains no malware. Well, they are lying to you — they couldn’t have done more than running a virus scanner to detect known malware. As far as Internet Explorer extensions go you are on your own, you need to trust the author of the extension.
  • Firefox: Mozilla runs addons.mozilla.org (AMO) where you can get extensions. In order to ensure the necessary content quality, both initial submissions and updates are reviewed by volunteers. The guidelines for such reviews are in the open and in general there have been fairly few issues with reviewed extensions in the past. However, you still need to be careful: not all extensions are fully reviewed! Some extensions only passed a preliminary review, others haven’t been reviewed at all yet. You can recognize such extensions by a yellow install button instead of the usual green one. There is also a warning when installing that you really shouldn’t ignore.
  • Chrome: For Chrome, the Chrome Web Store is the only place where you can install extensions. However, there is no review process whatsoever here. I assume that there is some automated scanning in place which flags some extensions for manual review, but it failed to find issues repeatedly in the past. For example, only recently some legitimate extensions were bought in order to make them add ads to web pages. Less obvious functionality (e.g. spying on your browsing behavior) might go unnoticed for a while. So with Chrome extensions you still need to trust the author of the extension.
  • Opera: Similarly to Chrome, the Opera add-ons website is the only place where you can install Opera add-ons. Yet the content there is somewhat more trustworthy because it is actually being reviewed by a human before being published. Still, it is unclear how this review is being performed and whether it has a chance of catching malicious extensions. So far there were no incidents involving Opera add-ons, the browser’s market share is simply too small for that.
  • Safari: So far, Apple’s Safari Extensions website is only a sad excuse. As things are now, it doesn’t even have search functionality, so all you can do is going through the entire (granted: not very long) list of add-ons. There is some review being performed when a new add-on is being submitted, apparently this process takes months currently. The purpose of this review is unclear however, it is definitely not security given that updates will not be reviewed (the website doesn’t actually host any content, the extensions are being downloaded from the websites of their authors).

To sum up, currently the only vendor to establish useful extension reviews is Mozilla. It might be that Opera’s reviews also weed out malicious extensions but this is impossible to tell given that no information is available on their review process. As to Chrome, Safari and Internet Explorer, the content of the extension stores cannot really be trusted and you have to trust the authors of the extensions to do the right thing. This is particularly problematic with Internet Explorer given the amount of damage a malicious extension can do and that it is very hard to verify what the extension is really doing.

Categories: ,

Comments

  1. Dave Garrett

    Thanks for this. It’s really nice to get a full run-down of all of the browsers’ policies here.

    How about extension installer signing? I know Mozilla does support it, but I’m curious as to what the other vendors do and how well they all handle it.

    Reply from Wladimir Palant:

    I don’t really consider signing of any relevance in this context, any malware can be signed (and increasingly does use signatures).

  2. DrFiz

    So.. Internet Explorer isn’t secure. Never heard about it XD
    However very good article, something good to know about, thank you!

    Reply from Wladimir Palant:

    Internet Explorer security is one thing, it became at least competitive in the latest versions. Its add-on system (including the add-on store) is a totally different story however, it is as crappy as ever – and that includes security (or rather lack thereof).

  3. eupator

    Chrome: (…) For example, only recently some legitimate extensions were bought in order to make them add ads to web pages.

    Exactly the same scenario was used on addons.mozilla.org. Several extensions were bought and modified to silently inject ads into web pages. Not only did the updates pass the code review and were distributed to the existing users, but, unlike Google, Mozilla didn’t remove these extensions despite being notified of the problem: Mozilla needs a new audit process in regards to add-on ownership changes

    Reply from Wladimir Palant:

    Mistakes can always happen, a review process isn’t guaranteed to catch all the issues - yet it is a lot better than no review process at all. I didn’t say that there were no incidents with Mozilla Add-ons, merely that there were only few and with limited scope (at least as far as reviewed add-ons are concerned). Mozilla definitely does act upon reports however, I’ve seen this numerous times.

    As to the actual issues, for IE Lite the relevant bug is https://bugzilla.mozilla.org/show_bug.cgi?id=850360. As you can see, Mozilla acted immediately after being notified and the developer promised to make the necessary changes for this change to comply with the policy (which doesn’t forbid ad injection as long as user consent is given).

    Concerning BlockSite, https://bugzilla.mozilla.org/show_bug.cgi?id=903799 is the right place, other extensions mentioned probably have been produced by wips.com as well. In fact, this is an issue I brought up myself in July 2012. There were a bunch of policy violations back then but these should have been resolved when I reported it. I didn’t verify but from the discussion in the bug it seems that the tracking is opt-in so there is no policy violation here. As long as users are informed about what is happening and are free to choose there doesn’t seem to be an issue – sounds like ghacks.net jumped the shark. Not that I am a big fan of wips.com, also their Chrome add-ons are probably still collecting data without asking or notifying users – in July 2012 they did (Google doesn’t have any comparable policy in place).

  4. Jorge Villalobos

    @eupator: We (Mozilla) allow add-ons to include ads as long as they follow the rules. Our policies require unexpected changes to be opt-in, and the ghacks articles haven’t been very good when it comes to the facts surrounding the case. There’s at least one instance where they claimed an add-on was reporting all visited sites when it clearly doesn’t.

    At any rate, we encourage users to report any unwanted add-on behavior to us. We do read all reports and take action when necessary.

  5. Noitidart

    Thanks to Wlad and Jorge for correcting @eupator: bringing up that very few happened with Mozilla and they were acted upon right away. I feel very safe on addons.mozilla.org (AMO).

  6. rallymaster

    Hello Wladimir

    10 Days with FireFox and I have afraid by all the modules FireFox…

    I do not understand why Mozilla delete 2 write review and doo not answer at my report abuse, so the users do not know this problem if Mozilla delete the bad comments and I do not understand how Video DownloadHelper which is the second most downloaded can have a Trojan inside with complicity of Mig without that Mozilla move and ask at Mig to deleted his Trojan or deleted from his official Website the browser Video DownloadHelper if he want not, if you have an explanation I would like know what’s is happen ?????

    I have registered and posted 2 times in the commentaries with 1 star on 5 stars this message and delete 2 times by mozilla 4 and 5 days ago, and after I have send this rapport 3 days ago and nothing, I don’t understand mozilla, can you explain me if you please, it was 5 days ago ????

    Why this Trojan while JS HTML/Crypted.gen is included inside of your add on on the WebPage official of FireFox https://addons.mozilla.org/fr/firefox/addon/video-downloadhelper/ ? I have deleted this add on

    Je n’apprécie pas du tout que cette version 4.9.22 par Mig contenant un Virus, un Cheval de Troie introduit grâce à JS comme d’habitude (adperf_core_1.0.0_scrambled1js) découvert dans le Temporary Internet Files et découvert par Avira immédiatement après l’installation de l’extension et qui se nomme HTML/Crypted.gen découvert le 18/07/2007 au potentiel de destruction très faible mais du coup je n’ai pas finis l’installation et j’ai viré Video DownloadHelper.
    Désinfection très facile. Malwarebytes aussi n’a rien trouvé ensuite.

    Je ne conseille à personne d’installer ce logiciel vérolé d’origine !!!!:(

    Au passage ça fait 2 fois que vous supprimer mon message et ma note de 1 pourquoi ??????

    And translated into English by Google Version: I do not appreciate that this 9.4.22 release by Mig containing a virus, a Trojan horse introduced by JS as usual (adperf_core_1.0.0_scrambled [1] js) discovered in the Temporary Internet Files and discovered by Avira immediately after installing the extension, which is called HTML / HTML.Malware discovered on 18/07/2007 at very low potential for destruction but suddenly I did not finish the installation and I turned Video DownloadHelper.
    Disinfection very easy. Malwarebytes also found nothing then.

    I would advise anyone to install this software syphilitic origin:! (

    Incidentally it has been 2 times that you delete my message and my grade 1 why???

    I am French, Sorry for my very bad English.

    Reply from Wladimir Palant:

    Please see Mozilla’s review guidelines, Mozilla removes everything that isn’t a real review: https://addons.mozilla.org/pages/review_guide. In particular, weird claims about a Trojan in a top add-on fall into this category – this is most definitely a false positive of your anti-virus software. An additional indicator is that HTML/Crypted.gen isn’t the name of a Trojan but rather the name of a heuristic Avira is using to recognize Trojan-like code.

  7. rallymaster

    Hello Wladimir,

    Mozilla has answered me that total virus was searched with the link and not the other or avira antivirus found this trojan

    Thank you Wladimir it reassures me, because it was my second addon I installed and now I was afraid of the addon on the official website of mozilla.

    However I’m wondering because I’ve never had false positives with this antivirus Avira would it not possible that June 4 is a Trojan was installed outdoors in VDH by an attacker for 1 small hour time we withdraw because the Avira graph trojan that I put your picture on see that 4 there’s been a huge spike this type of virus in the world ?

    http://112.imagebam.com/download/XYUuoONO1r28CgojVzD1Ag/33236/332358239/HTML%20Crypted.gen.jpg

    I have the linked page and I have fulfilled all the charter and described my experience correctly.

    I received a response from mozilla about it in general saying among other things this: Reviews are deleted if found to be They are inaccurate

    This is surely the reason yet it is a real answer I do not understand well. : (

    In any case thank you for your help Wladimir, it reassures me for FireFox addons. :)
    Best Regards.

    Reply from Wladimir Palant:

    Mozilla reviews every update, it isn’t possible to upload a virus “for one hour”.

Commenting has expired for this article.

← Older Newer →