Until recently, most of us thought that The Great Suspender extension is the Holy Grail of our online lives. It came as a godsend for people who have dozens of tabs open and go insane managing those. However, the extension was not the boon that we all thought it to be.
Google removed the extension from the Chrome Web Store and published a notification stating that the extension contains malware. It was discovered that a secret feature was added by a new maintainer, which could be abused to remotely execute arbitrary code. However, this is not the only instance of a browser extension being used as an attack vector.
More recent incidents
A malicious extension—disguised as “Forcepoint Endpoint Chrome Extension for Windows”—was dropped by attackers locally in a folder and loaded directly from Chrome on a compromised system.
Avast researchers spotted a massive network of malicious Edge and Chrome browser extensions. These are hijacking clicks in search result links to show arbitrary URLs for phishing websites and malicious ads, among others.
Last month, two Chrome extension developers were found collecting user data, along with other browser-related info. The four malicious extensions contained hidden codes and, allegedly, operated as spyware.
What does this imply?
There are various ways to exploit infected browsers.
Threat actors can scrape user information.
Control the victim’s browser from a different location without worrying about local defenses.
Moreover, these extensions can be used to set up an exfiltration channel to the hacker’s browser.
The bottom line
Malicious browser extensions are increasingly being used to infect millions of users across the world. The most jarring fact is that these extensions are right in front of us and we are unaware of their capabilities. Although Google removes such extensions on a daily basis, threat actors are coming up with unique ways to smuggle code into workstations.