The Hacker Halted security conference that’s scheduled to start this week in Miami, Florida will host a number of interesting talks. One of them is made by Hungarian security researcher Zoltan Balazs who wants to demonstrate that we haven’t seen the worst yet as far as malicious browser extensions go.
We’ve often seen malicious browser extensions
being utilized for all sorts of tasks, including clickjacking and other attacks that can aid cybercrooks in making a considerable profit.
However, Balazs warns that the capabilities of browser extensions are far beyond what we’ve witnessed so far.
“The possibility of a malicious browser extension is almost infinite, but we have not seen very powerful malicious extensions yet. The protective measures against malicious extensions are in their stone-age, and the number of these malicious extensions rise exponentially,” the expert wrote in the abstract of his presentation
Malicious browser extensions have an advantage over classic pieces of malware because they can evade security systems more easily, Balazs told
That’s because the threat’s communication channel with the command and control server is not blocked. Firewalls and other security applications might miss malicious extensions because they only detect the browser as communicating with the Internet, which is a legitimate operation.
Furthermore, malicious browser extensions are not limited to a single platform. The expert tested his proof-of-concept on OSX Snow Leopard, Windows 7, Ubuntu 12.04 and Android 2.3.7.
Balazs believes that the risks posed by such extensions can be mitigated if browser vendors ensure that only components that come from trusted sources can be installed.
More specifically, he suggests that vendors should adopt the App Store model and prohibit the installation of components that originate from outside this ecosystem. Updated
to clarify the mitigation solution.