Rogue websites can turn vulnerable browser extensions into back doors

When was the last time you checked the permissions asked for by a browser add-on?

It’s a blind spot: we might know that app permissions can be risky but when it comes to extensions for browsers such as Chrome and Firefox there is a tendency to worry about it only when someone discovers a malicious extension doing something it shouldn’t.

But it’s not only malicious extensions that can be a problem, as highlighted by a newly published study by Université Côte d’Azur researcher, Dolière Francis Somé, which analyses deeper-level APIs.

Extensions can do things that websites can’t. Websites are protected and restricted by Same Origin Policy (SOP) policy – the layer that restricts websites on different domains from sharing data.

Somé was interested in whether a rogue website could bypass these basic SOP protections by exploiting privileged browser extensions, maliciously gaining access to user data, browsing history, user credentials, or to download files in storage.

Sure enough, after analysing 78,315 Chrome, Firefox and Opera extensions that used the WebExtensions API using a mixture of static analysis and manual review, the answer in 197 cases was yes, it could.

All told, 171 of the 197 were Chrome Extensions, which reflects the much greater number of extensions available for this browser rather than any inherent security advantage of Firefox and Opera. 16 and 10 extensions were found for these browsers respectively.

Should we be worried?

Given the very small numbers of vulnerable extensions discovered, at first glance perhaps not. More than half of the rogue extensions had fewer than 1,000 installs each, with only 15% having more than 10,000 installs each.

And yet many of these extensions were doing things that seem hard to justify, including 63 bypassing SOP, 19 executing code, and 33 Chrome examples that could even install other extensions.

Somé says that browser makers have been made aware of the extensions called out by the test, with Mozilla removing all of those named, Opera removing all bar two, and Google still in discussions about whether to remove or fix the Chrome ones (the full list can be found at the end of the research paper).


The easiest answer would be to stop extensions from communicating with web pages as they please, although this might also block legitimate actions.

Alternatively, extensions could (should?) be better vetted by browser vendors to check on their behaviour, while the extensions themselves could be forced to declare which websites they planned to interact with.

Concludes Somé:

Browser vendors need to review extensions more rigorously, in particular take into consideration the use of message passing interfaces in extensions.

The devil’s advocate might argue that the real problem is the whole extensions architecture, which is only now slowly being patched up.

In addition to being able to abuse APIs at a deeper level, many Chrome extensions have got into the habit of demanding high-level permissions during installation, such as the ability to “read and change all your data on the websites you visit.”

On the other side, Google recently changed Chrome extensions’ permissions to limit them to specific sites defined by the user.

The best advice remains to install as few as possible and carefully check out the permissions they request.

Currently, this can be done on Chrome once an extension is installed via Extensions > Details.

On Firefox, the permissions are listed when the user clicks the ‘Add to Firefox’ button, which many people miss.

For Opera, it’s Extensions > Information.