Last week, KrebsOnSecurity reported to health insurance provider Blue Shield of California that its Web site was flagged by multiple security products as serving malicious content. Blue Shield quickly removed the unauthorized code. An investigation determined it was injected by a browser extension installed on the computer of a Blue Shield employee who’d edited the Web site in the past month.
The incident is a reminder that browser extensions — however useful or fun they may seem when you install them — typically have a great deal of power and can effectively read and/or write all data in your browsing sessions. And as we’ll see, it’s not uncommon for extension makers to sell or lease their user base to shady advertising firms, or in some cases abandon them to outright cybercriminals.
|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
-
Krebs: The Case for Limiting Your Browser Extensions
- This topic has 4 replies, 4 voices, and was last updated 5 years, 1 month ago.
AuthorViewing 3 reply threadsAuthor-
Thank you satrow recently there has been a lot of information about privacy and security concerning web browsers. It is good that you remind us about browser extensions also. Chris Hoffman of How-To Geek website has an older 2017 article that is still worthwhile reading:
Browser Extensions Are a Privacy Nightmare:
Stop Using So Many of Them
By Chris Hoffman August 14, 2017
Browser extensions are much more dangerous than most people realize.
https://www.howtogeek.com/188346/why-browser-extensions-can-be-dangerous-and-how-to-protect-yourself/Also, Firefox Support has some “Tips for assessing the safety of an extension” that offers some good advice:
https://support.mozilla.org/en-US/kb/tips-assessing-safety-extension5 users thanked author for this post.
-
True all. Personally, if I’m unsure of the extension author, I’ll download the extension and look through the source code. I never allow auto updates and I always read release notes before updating (except for one because I’m on the dev channel).
If there’s a permissions change requested during an update, I’ll cancel it and some do some research to make sure the author has documented the reason why. If not, then that may be a clue of a change of ownership and trouble ahead.
Look for reviews of extensions on the intertubes and any comments. A good source is gHacks (Martin Brinkmann). If an extension is new, check other extensions written by the author. Has he written others that are well known? Reputation can help you make an informed decision. A reputable, well-known author will usually disclose the purpose of any remote connections and what data is exchanged.
Since Mozilla now uses an automated system for extension checks before publishing, you have to be on your toes. Baddies do slip by. Ownership could change hands to bad actors.
It goes without saying, be wary of any frivolous extensions (e.g. coupons), those that have names similar to well-known ones, or ones that claim to add “features” to well established ones.
1 user thanked author for this post.
-
Well worth reading the entire Krebs post.
Scary!
-
A large number of extension authors make their source code available on GitHub. But, is that the code you’re actually getting when you click the “Add to Firefox” button?
If you right-click the “Add to Firefox” button, you can save the installation package locally. It will have the file extension “xpi” (e.g. myextension.xpi). An xpi file can be installed off-line. It’s actually an archive.
Use 7-Zip to unpack the xpi file. Now you have the source code of the extension (css, javascript, json). You can open individual files with a simple text editor (e.g. notepad, notepad++). You do not have to be a programmer to do basic checks.
For example, the file “manifest.json” will provide useful information such as where the extension gets its updates. Example:
“update_url”: “https://clients2.google.com/service/update2/abc”
If any of the files are obfuscated (unreadable), then this against Mozilla guidelines for extensions. The rule to remember is “If you can’t read it, don’t install it.”
Look for URLs, IP addresses, and filenames in the source files. If something looks strange, use the rule “If in doubt, throw it out”.
4 users thanked author for this post.
Viewing 3 reply threads
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
Uninstalr Updates
by 6 hours, 56 minutes ago
-
Apple zero days for April
by 2 hours, 13 minutes ago
-
CVE program gets last-minute funding from CISA – and maybe a new home
by 7 hours, 43 minutes ago
-
Whistleblower describes DOGE IT dept rumpus at America’s labor watchdog
by 19 hours, 33 minutes ago
-
Seeing BSOD’s on 24H2?
by 2 hours, 27 minutes ago
-
TUT For Private Llama LLM, Local Installation and Isolated from the Internet.
by 9 hours, 57 minutes ago
-
Upgrade from Windows 10 to 11
by 1 day, 4 hours ago
-
Microsoft : AI-powered deception: Emerging fraud threats and countermeasures
by 1 day, 7 hours ago
-
0patch
by 8 hours, 1 minute ago
-
Devices might encounter blue screen exception with the recent Windows updates
by 1 day ago
-
Windows 11 Insider Preview Build 22631.5261 (23H2) released to Release Preview
by 1 day, 10 hours ago
-
Problem opening image attachments
by 1 day, 11 hours ago
-
advice for setting up a new windows computer
by 2 days, 2 hours ago
-
It’s Identity Theft Day!
by 1 day, 6 hours ago
-
Android 15 require minimum 32GB of storage
by 2 days, 7 hours ago
-
Mac Mini 2018, iPhone 6s 2015 Are Now Vintage
by 2 days, 7 hours ago
-
Hertz says hackers stole customer credit card and driver’s license data
by 2 days, 7 hours ago
-
Firefox became sluggish
by 9 minutes ago
-
Windows 10 Build 19045.5794 (22H2) to Release Preview Channel
by 2 days, 11 hours ago
-
Windows 11 Insider Preview Build 22635.5235 (23H2) released to BETA
by 2 days, 12 hours ago
-
A Funny Thing Happened on the Way to the Forum
by 1 day, 9 hours ago
-
Download speeds only 0.3Mbps after 24H2 upgrade on WiFi and Ethernet
by 6 hours, 28 minutes ago
-
T-Mobile 5G Wireless Internet
by 1 day, 10 hours ago
-
Clock missing above calendar in Windows 10
by 1 day, 11 hours ago
-
Formula to Calculate Q1, Q2, Q3, or Q4 of the Year?
by 3 days, 3 hours ago
-
The time has come for AI-generated art
by 2 days, 7 hours ago
-
Hackers are using two-factor authentication to infect you
by 2 days, 16 hours ago
-
23 and you
by 3 days ago
-
April’s deluge of patches
by 1 day, 3 hours ago
-
Windows 11 Windows Updater question
by 17 hours, 51 minutes ago
Remembering Woody
