.... ; what indicators of compromise or data probes could be used by everyday Joe to harden/canary browser
Against those?
Against those?
Last edited by a moderator:
With increased prevalence of malicious extensions...
- Thread starter cartaphilus
- Start date
- Featured
Please provide comments and solutions that are helpful to the author of this topic.
Technical Analysis
The threat identified involves extensions that abuse broad permissions to intercept user data. Key observations based on standard browser security models and the query context.
Permission Over-Privilege: Most malicious extensions request <all_urls> or tabs access. This allows them to read and modify any site content, including password fields and session cookies.
Dynamic Code Injection: Malicious actors often use legitimate-looking extensions that later fetch obfuscated scripts.
Data Exfiltration Probes: Indicators of compromise often manifest as unexplained network requests to non-standard domains or high resource usage by specific browser processes.
Specific Indicators of Compromise (IOCs) for Users.
Extension Manifest Changes: Unexpected updates to permissions (e.g., a "Calculator" extension suddenly needing access to "Read and change all your data on the websites you visit").
Subprocess Activity: In Chrome/Edge Task Manager (Shift + Esc), a single extension showing consistent high CPU or constant Network traffic even when idle.
Unauthorized Redirection: Search queries being redirected through unknown intermediate domains (e.g., hXXp[:]//search-redirector[.]xyz).
Recommendation / Remediation
Enforce Extension Sandboxing:
Navigate to chrome://extensions (or equivalent).
For essential extensions, change "Site access" from "On all sites" to "On click". This prevents the extension from running unless you manually activate it for a specific session.
Audit via Browser Task Manager:
Periodically check the built-in Task Manager (Shift + Esc). Look for extensions with high memory or network activity.
Pro Tip: Right-click the header and enable the "Process ID" and "Network" columns to see real-time data exfiltration attempts.
Utilize "Canary" Methods:
Use a dedicated, clean browser profile (no extensions) for sensitive activities like banking or administration.
Monitor the AppData/Local/[BrowserName]/User Data/Default/Extensions folder for newly created directories that don't match your installed list.
Network-Level Monitoring:
Use a DNS filter (like NextDNS or Pi-hole) to identify extensions communicating with known malicious C2 (Command and Control) domains.
References
CIS Benchmark for Google Chrome: Section 1.1 (Limit Extension Installation)
MITRE ATT&CK T1176: Browser Extensions (Persistence and Data Collection)
NIST SP 800-177: Trustworthy Email and Web Access
The threat identified involves extensions that abuse broad permissions to intercept user data. Key observations based on standard browser security models and the query context.
Permission Over-Privilege: Most malicious extensions request <all_urls> or tabs access. This allows them to read and modify any site content, including password fields and session cookies.
Dynamic Code Injection: Malicious actors often use legitimate-looking extensions that later fetch obfuscated scripts.
Data Exfiltration Probes: Indicators of compromise often manifest as unexplained network requests to non-standard domains or high resource usage by specific browser processes.
Specific Indicators of Compromise (IOCs) for Users.
Extension Manifest Changes: Unexpected updates to permissions (e.g., a "Calculator" extension suddenly needing access to "Read and change all your data on the websites you visit").
Subprocess Activity: In Chrome/Edge Task Manager (Shift + Esc), a single extension showing consistent high CPU or constant Network traffic even when idle.
Unauthorized Redirection: Search queries being redirected through unknown intermediate domains (e.g., hXXp[:]//search-redirector[.]xyz).
Recommendation / Remediation
Enforce Extension Sandboxing:
Navigate to chrome://extensions (or equivalent).
For essential extensions, change "Site access" from "On all sites" to "On click". This prevents the extension from running unless you manually activate it for a specific session.
Audit via Browser Task Manager:
Periodically check the built-in Task Manager (Shift + Esc). Look for extensions with high memory or network activity.
Pro Tip: Right-click the header and enable the "Process ID" and "Network" columns to see real-time data exfiltration attempts.
Utilize "Canary" Methods:
Use a dedicated, clean browser profile (no extensions) for sensitive activities like banking or administration.
Monitor the AppData/Local/[BrowserName]/User Data/Default/Extensions folder for newly created directories that don't match your installed list.
Network-Level Monitoring:
Use a DNS filter (like NextDNS or Pi-hole) to identify extensions communicating with known malicious C2 (Command and Control) domains.
References
CIS Benchmark for Google Chrome: Section 1.1 (Limit Extension Installation)
MITRE ATT&CK T1176: Browser Extensions (Persistence and Data Collection)
NIST SP 800-177: Trustworthy Email and Web Access
The primary attack vectors are via social engineering (where a user clicks on something that installs the extension) or through malware running outside the web browser.
Some policies for Chrome-based web browsers (ExtensionInstallAllowlist, ExtensionInstallBlocklist) can solve this problem, so only extensions included on the allowlist are allowed.
support.google.com
Some policies for Chrome-based web browsers (ExtensionInstallAllowlist, ExtensionInstallBlocklist) can solve this problem, so only extensions included on the allowlist are allowed.
Set Chrome app and extension policies (Windows) - Chrome Enterprise and Education Help
Applies to Windows users who sign in to a managed account on Chrome browser. As an administrator, you can automatically install Chrome apps and extensions on users' computers. You can also
support.google.com
Haha, since you ask about "everyday Joe," and since these appear to be long-running campaigns (5+ years), defying all possible basic checks on the extensions (except maybe the overly broad permissions), I would say the pooch is screwed on this one.
It's pretty much the same category as trusted programs suddenly going bad. Who's going to catch them first? Really good behavioral analysis endpoints, or technical users watching for technical anomalies. The average Joe consumer (including yours truly
) is screwed, or just don't use those nice extensions.Problem is dev's are selling extensions to malicious actors, so once trusted always trusted unless revoked or banned from store. I don't think you can do much!
Just hope some saint catches the malicious behavior and warns others before you fall victim.
Just hope some saint catches the malicious behavior and warns others before you fall victim.
Yeah hence the canary probes. Something that alerts you when an extension suddenly goes rouge by attempting to do something that's not "normal" for an extension to ask for. Just like notepad+++ suddenly asking for ring -0 accessHaha, since you ask about "everyday Joe," and since these appear to be long-running campaigns (5+ years), defying all possible basic checks on the extensions (except maybe the overly broad permissions), I would say the pooch is screwed on this one.
It's pretty much the same category as trusted programs suddenly going bad. Who's going to catch them first? Really good behavioral analysis endpoints, or technical users watching for technical anomalies. The average Joe consumer (including yours truly
Yeah no saint anymore Val Kilmer died this year (yeah I am expecting this comment to go "wooosh" over many people's heads). What can I say my life runs on Jeremy Bearimy timeline*.
*time in the afterlife moves in a very curvy and non-linear fashion which, when drawn on a whiteboard, resembles the cursive English words 'Jeremy Bearimy'.
Haha, since you ask about "everyday Joe," and since these appear to be long-running campaigns (5+ years), defying all possible basic checks on the extensions (except maybe the overly broad permissions), I would say the pooch is screwed on this one.
It's pretty much the same category as trusted programs suddenly going bad. Who's going to catch them first? Really good behavioral analysis endpoints, or technical users watching for technical anomalies. The average Joe consumer (including yours truly
Although there have been some high-profile examples of previously trusted extensions that have become malicious, this is not the primary problem. About 1/3 of browser extensions can be flagged for potential credential theft, session hijacking, and data exfiltration. Most of them are not trusted.
Malicious Browser Extensions Are Security Threats | Spin.AI
Browser extensions are a handy tool, but they come with growing security risks. From data breaches to malicious scripts, organizations need to stay vigilant. Learn how these attacks happen, the latest threats, and how Spin.AI can help protect your business from the dangers lurking in browser...
spin.ai
Another problem is that many such extensions are initially created with a "malicious trigger" that can be activated by malicious actors after months, when the extension is sufficiently prevalent. In most cases, malicious extensions are hidden (they don’t show up in the Chrome Web Store, but can be accessed via direct links in Chrome Web Store). They are often distributed via malicious Ads or websites.
Last edited:
This might help (at least when previous owners announce change): Under New Management - Chrome Web Store
I asked AI whether owners are obliged to inform Google
Last edited:
Speaking about ownership change, does anyone remember Nano Defender and Nano adblocker extensions which were sold by the developer and it turned into malware. Gorhill was the first to investigate on github which led to mass reports and deletion from Stores and even browsers by Google and Microsoft.
You may also like...
-
Do Antivirus Products Spy on You More Than They Protect You?- Started by Bot
- Replies: 11
-
Malicious Chrome Extension Steal ChatGPT and DeepSeek Conversations from 900K Users- Started by Brownie2019
- Replies: 2
-
-
New XWorm V6 Variant Embeds Malicious Code into Trusted Windows Applications
- Started by Brownie2019
- Replies: 1