These components can be far more dangerous than what we've seen so far

Oct 23, 2012 10:38 GMT  ·  By

The Hacker Halted security conference that’s scheduled to start this week in Miami, Florida will host a number of interesting talks. One of them is made by Hungarian security researcher Zoltan Balazs who wants to demonstrate that we haven’t seen the worst yet as far as malicious browser extensions go.

We’ve often seen malicious browser extensions being utilized for all sorts of tasks, including clickjacking and other attacks that can aid cybercrooks in making a considerable profit.

However, Balazs warns that the capabilities of browser extensions are far beyond what we’ve witnessed so far.

“The possibility of a malicious browser extension is almost infinite, but we have not seen very powerful malicious extensions yet. The protective measures against malicious extensions are in their stone-age, and the number of these malicious extensions rise exponentially,” the expert wrote in the abstract of his presentation.

During his talk, the researcher will unveil proof-of-concept Chrome and Firefox extensions, which function based on a command-and-control architecture, possess rootkit capabilities, and are able to steal sensitive information, execute JavaScript, and manipulate files.

Malicious browser extensions have an advantage over classic pieces of malware because they can evade security systems more easily, Balazs told The Register.

That’s because the threat’s communication channel with the command and control server is not blocked. Firewalls and other security applications might miss malicious extensions because they only detect the browser as communicating with the Internet, which is a legitimate operation.

Furthermore, malicious browser extensions are not limited to a single platform. The expert tested his proof-of-concept on OSX Snow Leopard, Windows 7, Ubuntu 12.04 and Android 2.3.7.

Balazs believes that the risks posed by such extensions can be mitigated if browser vendors ensure that only components that come from trusted sources can be installed.

More specifically, he suggests that vendors should adopt the App Store model and prohibit the installation of components that originate from outside this ecosystem.

Updated to clarify the mitigation solution.