loader gif

Malicious websites could exploit Extension APIs to grab browser data

Malicious websites could exploit Extension APIs to grab browser data
  • APIs for 197 browser extensions are under the scanner for security issues, said a researcher.
  • Along with making browser data vulnerable, attackers can even get into user accounts such as their social media profiles or work accounts.

A security researcher from France has brought in a new revelation. In his research study, Doliere Francis Somé of INRIA, France uncovered vulnerabilities in extension APIs for browsers.

It appears that noxious websites have been tweaking these extension APIs to steal browser data such as cookies and bookmarks.

In addition, Somé also demonstrated that APIs were also used to download malicious files and store them in the users’ external storage so that it can be used to track their activity on their devices as well.

The French researcher’s paper has detailed how web applications take unfair advantage through APIs. “Our results demonstrate that the communications between browser extensions and web applications pose serious security and privacy threats to browsers, web applications and more importantly to users,” indicates the study.

The threat model in the paper highlights six security and privacy threats such as code execution, same origin policy (SOP) bypass, reading cookies, initiating downloads, reading other browser data, and data storing.

Tools to detect suspicious activity in APIs

Somé has developed a tool to check if APIs can be exploited by malicious websites. In his study, this static analysis tool analyzed around 78,000 extensions for Chrome, Firefox, and Opera browsers. Among them, 197 extensions were flagged as serious threats and said to be the most vulnerable to attackers.

Thankfully, Somé has informed the browser developers of the threats. Firefox was quick to resolve this by removing the extensions. Chrome and Opera are reportedly yet to fix all the extensions.

The online tool can be found here. All the user needs to do is enter the manifest file of the extension and the tool displays vulnerable APIs.

loader gif