Add to Chrome? - Part 1: An Analysis of Chrome Browser Extension Security

Welcome to the wonderful world of browser extensions! These tools promise efficiency, entertainment, and customization at your fingertips. But could those promises come with any hidden danger? In this blog series, we provide an overview of SURGe research that analyzed the entire corpus of public browser extensions available on the Google Chrome Web Store.

Our goal? To unravel whether these extensions facilitate a better browsing experience or represent potential threats lurking in plain sight.

This blog will set the groundwork for the series. Part 2 will cover how we did our analysis, and Part 3 will wrap things up with our findings and general recommendations. A final installment (Part 4), will provide a data-science-backed threat hunting method using the SURGe team’s PEAK framework!

The World of Browser Extensions

In our exploration, the Chrome Web Store revealed a staggering variety of extensions – approximately 140,000 during our research through the mid-part of 2023. These extensions cater to an array of needs, from the mundane to the highly specialized, to the downright weird, becoming almost indispensable to the modern internet user. Attempts to analyze the security risk of browser extensions can be a complex task. Our focus goes beyond just tallying numbers or reviewing features. We closely examined these extensions, focusing on how they interact with user data, the permissions and authentication scopes they request, and the domains and URLs they interact with, among other aspects. These extensions can contain a variety of possible threats, from malicious JavaScript to bundled binaries and many other file types, which complicates analysis. Are these extensions acting in your best interest, or are they possibly recording your keystrokes, camera, and microphone without your knowledge?

Uncovering the Security Risks: Historical Insights

While our research methodology was independent of past incidents, acknowledging historical cases of malicious Chrome extensions provides valuable context for the potential risks. Some notable examples include:

• DataSpii: This incident involved a set of Chrome extensions that were found to be part of a massive data leak, dubbed "DataSpii" by researchers. Extensions involved in this incident, like "Hover Zoom" and "SpeakIt!," were found to collect and leak personal data, including browsing histories and personally identifiable information.
• Particle for YouTube: This extension was initially benign but turned malicious after being sold to another developer, leading to unauthorized ad injections and user data tracking.
• Web Developer for Chrome: In 2017, this popular tool was compromised to inject ads and conduct phishing, affecting many users.

These cases serve as a backdrop to our exploration, illustrating the risks present in the Chrome browser extension ecosystem and why a thorough examination of current extensions is crucial. Although these historical examples did not directly guide our research, they underscore the importance of our work in identifying potential vulnerabilities in current extensions.

Our aim is not to instill fear, but to foster awareness. By understanding the risks associated with these extensions, users and developers can become more vigilant. This section of our series aims to complement our research findings by demonstrating the real-world consequences of overlooked extension vulnerabilities, reinforcing the need for continuous scrutiny in an ever-growing browser extension marketplace.

Objectives

Our research had a precise yet substantial aim: to review the security risks for every extension publicly available in the Chrome Web Store. We scrutinized their permissions, authentication scopes, and other static attributes and sought to understand whether these extensions comply with standard safety and privacy norms and the implications for users and developers.

This study intends to offer Chrome users insights into the extensions they might use regularly, highlighting potential risks and best practices. For developers, our findings provide a perspective on how to balance functionality with user security and privacy. On a broader scale, this research contributes to the vital discussion on digital privacy and security. In a world where people spend a significant amount of time using a web browser, understanding the intricacies and implications of browser extensions is key.  Google is doing great work to make incremental improvements to the browser and extension security. You can read Google's informative primer on extension risk here.

Pipeline: The Journey Beyond Risk Scoring

Our initial goal was to develop an open-source software pipeline for evaluating the risks of Chrome extensions. We aimed to create a tool to assess potential threats that the community could adapt and improve. Existing solutions like CRXcavator and Spin.ai inspired us, but we wanted our pipeline to be openly accessible and modifiable. Out-of-the-box offerings aren’t always applicable to everyone.

The pipeline we developed analyzes various aspects of extensions, such as their permissions, OAuth2 scopes, and content security policies. We also integrated robust tools like DomainTools and Splunk Attack Analyzer for URL and domain analysis and retire.js for building software bills of materials (SBOMs) along with pinpointing JavaScript vulnerabilities.

However, as our work progressed, it became evident that risk scoring was just a part of the equation. It’s a useful starting point, but understanding the true nature and impact of an extension requires more than just numerical scores. Sometimes, the best analysis is still done by good old human beings.

Conclusion

While reading this blog, you may have clicked on the extension button in your browser to see what extensions you’ve installed over the years.  Don’t get too scared just yet. The vast majority of extensions are there to provide a better browsing experience. A very small subset is indeed malicious.

The next blog in this series will cover our pipeline and analysis. The third blog includes our findings and recommendations. In the fourth and final blog, we provide an even more in-depth analysis using frameworks like PEAK threat-hunting, so stay tuned!

As always, security at Splunk is a family business. Credit to authors and collaborators: Shannon Davis, James Hodgkinson