My colleague Felix Dahlke wrote up a rather simplistic blog post on malicious extensions. I wanted to write a more extensive blog post on the topic, without any simplifications. In fact, what you can do to avoid installing malicious extensions depends largely on your browser so I will go into the details for all browsers below.
Should I be careful when installing extensions?
Yes, absolutely. Installing an extension is always a matter of trust, you have to be sure that the extension does exactly what it claims to do — otherwise you might eventually discover that the extension you installed has some non-obvious “features” (or worse: you might not even notice). However, the amount of harm such a malicious extension can do depends on your browser:
- Internet Explorer: extensions are typically installed with administrator privileges, this can give a malicious extension full access to your computer. It might even disable anti-virus software that you have installed. Essentially, it is exactly the same as with any application you install.
- Firefox: extensions can do pretty much everything that Firefox can do, essentially they get the privileges of the user account that Firefox is running under. Normally this won’t be the administrator account so taking over the system completely won’t be possible. Still, a malicious extension could read out all your data, including files on disk, browsing history and passwords stored in Firefox.
- Chrome, Opera and Safari: these browsers run extensions in a sandbox which somewhat reduces the potential for abuse (and along with it the potential for great extensions). Still, a malicious extension could spy on your browsing behavior or intercept passwords as they are being entered. It could inject unwanted content into webpages, typically this would be ads that the extension author gets paid for. Note that looking at the permissions an extension requests isn’t very helpful: lots of extensions request access to all websites, simply because they need to do something useful with them.
What about add-on stores, can the extensions there be trusted?
The answer here is: it depends. Let’s look at this for each browser:
- Internet Explorer: Microsoft provides an Internet Explorer Gallery. However, what you get there is essentially a link, Microsoft doesn’t verify the content you get there. Even if the gallery would host the content itself, establishing a review process would be pretty impossible given the Internet Explorer extensions are always compiled. Note that some websites like Softpedia will claim to have verified that the extension contains no malware. Well, they are lying to you — they couldn’t have done more than running a virus scanner to detect known malware. As far as Internet Explorer extensions go you are on your own, you need to trust the author of the extension.
- Firefox: Mozilla runs addons.mozilla.org (AMO) where you can get extensions. In order to ensure the necessary content quality, both initial submissions and updates are reviewed by volunteers. The guidelines for such reviews are in the open and in general there have been fairly few issues with reviewed extensions in the past. However, you still need to be careful: not all extensions are fully reviewed! Some extensions only passed a preliminary review, others haven’t been reviewed at all yet. You can recognize such extensions by a yellow install button instead of the usual green one. There is also a warning when installing that you really shouldn’t ignore.
- Chrome: For Chrome, the Chrome Web Store is the only place where you can install extensions. However, there is no review process whatsoever here. I assume that there is some automated scanning in place which flags some extensions for manual review, but it failed to find issues repeatedly in the past. For example, only recently some legitimate extensions were bought in order to make them add ads to web pages. Less obvious functionality (e.g. spying on your browsing behavior) might go unnoticed for a while. So with Chrome extensions you still need to trust the author of the extension.
- Opera: Similarly to Chrome, the Opera add-ons website is the only place where you can install Opera add-ons. Yet the content there is somewhat more trustworthy because it is actually being reviewed by a human before being published. Still, it is unclear how this review is being performed and whether it has a chance of catching malicious extensions. So far there were no incidents involving Opera add-ons, the browser’s market share is simply too small for that.
- Safari: So far, Apple’s Safari Extensions website is only a sad excuse. As things are now, it doesn’t even have search functionality, so all you can do is going through the entire (granted: not very long) list of add-ons. There is some review being performed when a new add-on is being submitted, apparently this process takes months currently. The purpose of this review is unclear however, it is definitely not security given that updates will not be reviewed (the website doesn’t actually host any content, the extensions are being downloaded from the websites of their authors).
To sum up, currently the only vendor to establish useful extension reviews is Mozilla. It might be that Opera’s reviews also weed out malicious extensions but this is impossible to tell given that no information is available on their review process. As to Chrome, Safari and Internet Explorer, the content of the extension stores cannot really be trusted and you have to trust the authors of the extensions to do the right thing. This is particularly problematic with Internet Explorer given the amount of damage a malicious extension can do and that it is very hard to verify what the extension is really doing.