Browser Extension Security

Browser Extension Security

Mark September 7, 2021

Browser Extensions & Permissions

Browser extensions have the potential to have access cookies, clipboards and even physical storage of the client. To review an extensions permission you need to go to “Settings > Extensions > Details (of the application)”

In this example Wappalyzer has access to the browsing history of the browser.

Extension permissions should be reviewed on the principle of least privilege, as an example if an extension has the permission to access the users clipboard or storage device, this could be used by a malicious attacker.

This information is also available in the manifest.json as it contains metadata about the plugin. Below has the different permission available on

Declare extension permissions – Declare permissions – Chrome Developers

Third Party Scripts

Extension may use third party scripts loaded from an external server (Original Source), this is a potential risks and if the third party is compromised the extension is probably compromised as well.

Any third party scripts (or calls) should be secured by supported SSL/TLS version, if this is not in place then there is a possibility an attacker could intercept traffic.

Personally Identifiable Information and Data

A frequent privacy issue is around the Analytics tools that send PPI, visited pages, social media usage to servers (non-eu) which could breach data protection regulations and General Data Protection Regulation (GDPR).

If you review the “chrome web store” extensions page, there is a “Privacy Practices” section which gives some information on how PII and data is used (or not at all): –

Coding Practices

Like any other web application, coding practices should be reviewed, in this example the javascript is saving the user password looks to be saved on the browser window.Storage using encodeBase64.

Reference – How Secure Are the Browser Extensions You Create? | Checkmarx

Find the Extension Source Code

Open a chrome browser and type “chrome://extensions” in to the address bar

In the right hand corner enable “Developer mode”

This will show the extensions ID

Open file explorer and go to %localappdata%\Google\Chrome\User Data\Default\Extensions in there you will need to find the folder with the matching ID

Once you enter this folder, you should see another folder titled with the version of the extension, click on this.

To view the code you will need an application or you can download Source Code Viewer extension, more information here –

How to View the Source Code of a Chrome Extension

Summary

We should be careful when using extension and follow the below guidelines: –

  • Follow the Principle of Least Privilege for permissions
  • Avoid extension using third-party scripts
  • Avoid extension with analytics tools
  • Use SSL/TLS for all requests (including third party scripts)
  • Follow Secure Coding Practices
  • Use Application Security testing tools

Examples of real life extension vulnerabilities …

Cisco Security Advisory: Cisco WebEx Browser Extension Remote Code Execution Vulnerability

How to View the Source Code of a Chrome Extension

How to View the Source Code of a Chrome Extension – Make Tech Easier