The Hindu Explains | Has Google failed to protect its Chrome browser?

How do malicious extensions get in to the Chrome store?

Updated - June 21, 2020 01:03 am IST

The story so far: A few days ago, Reuters reported a “ newly discovered spyware effort ” targetting users of Google’s browser Chrome. The spyware, it said, has been pushed through at least 111 malicious or fake Chrome browser extensions, which have been downloaded some 32 million times. (Browser extensions are add-ons that provide additional capabilities to the user.) The report also said Google had taken off more than 70 extensions from its official Web Store last month after being alerted to their malicious nature by researchers at Awake Security. The rest were never in its web store.

How do these malicious extensions get in to the Chrome store in the first place?

Short answer: they seem harmless, to being with. According to the report by Awake Security, which brought this issue to light, these “sleeper agent extensions” appear to do nothing in the beginning. The “malicious payloads” are only pushed on to the extensions much after the “clean” versions have been approved.

Also read | Google Chrome hit with bugs, users losing secondary profiles

What do the malicious extensions do?

They can take “screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords),” says the report.

How has Google reacted to this?

As mentioned above, Google has recently removed the malicious extensions. Reuters reported Google’s spokesman Scott Westover as saying, “When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses.”

It also said in its report: “Google declined to discuss how the latest spyware compared with prior campaigns, the breadth of the damage, or why it did not detect and remove the bad extensions on its own despite past promises to supervise offerings more closely.”

It has been mentioned that some of the fake extensions were never in the Chrome Web Store. How were they made to work then?

This is due to the misuse of an open-source browser project, Chromium — installing it can lead to malicious add-ons. This works as a rogue browser when users unwittingly give it the okay to run when prompted.

Are browser extensions a vulnerability?

A significant part of what we do on the computer these days is via the browser. Also, the research report points out that it has been a challenge for security solutions to spot malicious activity that is happening within the browser. The Awake Security report says, “Rogue access to the browser therefore frequently means rogue access to the ‘keys to the kingdom’ — from email and corporate file sharing to customer relationship management and financial databases.”

How are users fooled?

Watch out for prompts that urge you to make a new browser as default. That is not all, though. The security firm has also documented some standard characteristics of malicious campaigns. For starters, some of these malicious players have professional-looking web sites that peddle false promises. An example recorded is that of a security extension that certifies a page with malicious content as secure.

Security experts can visually figure out if an extension is malicious or fake, says the Awake Security report, listing out the following easy identifiers: These extensions, for an unknown brand and little information, have a huge following; the user reviews are always great; these extensions have a huge following despite being relatively new in the market.

What other vulnerability has this finding revealed?

The Awake Security report ends with a question mark on the conduct and practices of a small Israel-based domain registrar called Galcomm, formally known as CommuniGal Communication Ltd according to Reuters. Its report says 60% of its domains are high risk for organisations. These malicious domains have managed to evade categorisation as unsafe because their actions depend on where the client is connecting to it from. They act maliciously only if the client connects from a broadband or cable network. They act benignly if the request comes from a data centre or virtual private network.

It says, “This registrar, who also maintains a Registrar Accreditation Agreement with ICANN (The Internet Corporation for Assigned Names and Numbers), is responsible for putting far more malicious domains, malware, and exploitative content on the internet than legitimate content. We believe the research and analysis summarized in this report proves that Galcomm is at best complicit in malicious activity.”

The bigger issue raised by the report is one of lack of oversight by ICANN, which oversees domain name standards.

What has been Galcomm’s response?

Reuters reported that Galcomm owner Moshe Fogel has denied any wrong-doing.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.