Your browser's adblocker might not be what it seems. Earlier this month, Google removed a pair of plugins from Chrome with over 1.5 million installs between them. Their names – AdBlock and ublock – might sound familiar, but they definitely weren't the real thing.
First spotted by the AdGuard adblocker team, the plugins were cunningly replicating the well-known and entirely reputable AdBlock by getadblock and uBlock Origin by Raymond Hill.
The fraudulent ad blockers even behaved realistically, simply blocking as normal for a couple of days, after which their behaviour changed to carry out 'cookie stuffing' fraud. At this point, the extension loads tracking cookies onto its users' systems, so its creators can pretend they've referred the user to various sites they might visit, and be rewarded for doing so.
“Browser extensions have a long history of incidents,” says Bogdan Botezatu, director of threat research and reporting at Bitdefender. “In their current implementation, they have full access to the contents of any web page the user may load into a browser. They have been successfully used in the past to manipulate the content of a page, to access sensitive information, leak access tokens to popular services, hijack searches, inject malicious scripts or to propagate scams on social networks.”
Other malicious extensions simply insert extra ads into every webpage you see – again, an effort to make money by racking up ad impressions. Others are more overtly criminal, such as those which target and log users' online banking credentials.
Last year, Trend Micro discovered a new botnet delivered via a Chrome extension that affected hundreds of thousands of users. “This botnet was used to inject ads and cryptocurrency mining code into websites the victim would visit,” says the company's cyber security architect, Ian Heritage.
Paul Lipman, CEO of cybersecurity firm BullGuard, says that in 2018 the company discovered more than 100,000 computers infected with browser extensions that stole login credentials, mined cryptocurrencies and engaged in click fraud. “But,” he says, “this is nothing compared to the recent discovery of eight browser extensions for Google Chrome and Firefox that were harvesting personal data from over four million people. This included medical records, credit card information, travel information, online shopping history, file attachments, GPS locations and more.”
“Legitimate or not,” says David Emm, principal security researcher at Kaspersky, “even basic extensions usually require permission to “read and change all your data on the websites you visit,” but most browsers will grant permissions by default (without asking you), giving them the power to do virtually anything with your data. And if you don’t give them that permission, the extension won’t be installed.”
Google removed the offending extensions two days after Adguard's post drawing attention to them – Adguard says it had previously reported the extensions as fake to no effect. Google blocks around 1,800 malicious uploads to the Chrome store every month and is actively developing new protections, including teams of manual reviewers.
There are also planned changes to change to how Chrome handles ad-blocking by extensions in the pipeline, with an updated called Manifest V3. Google says that the update is intended to make the extension ecosystem safer with new APIs intended to preserve privacy, more restrictive default extension permissions, increased user options to control extension permissions, changes to the review process and readability requirements and mandatory two-step verification for developers.
BullGuard's Lipman says that Manifest V3, as it's currently being developed, “still allows extensions to observe the same data as before, including what URLs users visit and the contents of pages users visit.”
Kaspersky's Emm warns that Manifest V3 could potentially have a negative impact on security by preventing ad blocking programs from working as they do today. “Essentially,” he explains, “the mechanisms that ad blockers use will be taken away by Google and the extensions will no longer be able to use the blocking capabilities of the 'Web Request' API. Instead, Google wants such programs to use a different API, 'declarativeNetRequest', which allows Chrome to decide whether to block content based on a series of rules.”
Developers of third party browsers based on Google's Chromium rendering engine, including Opera, Brave and Vivaldi, have said they will not adopt the modified extension system.
How to stay safe
Consider whether you really need to install the extension you're considering. Even legitimate extensions can have an impact on browser performance, and many can effectively be replaced by a bookmarks bar link pointing to a web app.
Check the publisher. If in doubt, for major tools such as Adblock Plus, go to the official website and follow the download link from there rather than relying on search results or your browser's extension store's cluttered listings.
Avoid extensions from unofficial sources. Bogdan Botezatu says that “if installing an extension, users should only install them via the official browser extension store rather than sideload them using the Developer Mode approach.”
Watch out for updates – extensions by default automatically update themselves, which is useful for security. Unless they get bought out by a malicious software creator, that is. If Google removes a malicious extension from the Chrome store, it's also disabled on users' machines.
Keep an eye out for unusual behaviour. If you're suddenly seeing something unexpected in your browser's performance or behaviour, such as loads of adverts where there should be none, check your extensions. If in doubt, disable them and re-enable them one by one to find the culprit.
“If you don’t need it anymore, why take the risk of keeping it?” asks Kaspersky's David Emm. Unused and unnecessary extensions, like unrequired software, just serve to add an additional attack vector that could be exploited.
This article was originally published by WIRED UK