Extension APIs Can Steal Browser Data Through Malicious Websites
All of the big web browsers such as Chrome, Firefox and Opera, use extension APIs. They are developed to give the user greater browsing experience plus functionality not found on native browsers. However, a recent academic paper has highlighted possible flaws in these APIs.
One way that malicious websites can use extension APIs is by executing code within the browser. This code then enables the originator to steal sensitive information. Bookmarks, browsing history and even cookies can be accessed and leave the user vulnerable.
Online attackers can also use these extensions to hijack a users login sessions. This will enable them to gain access to sensitive data including emails, and social media profiles.
Access to users data via extension API’s was thought to be theoretical. However, an academic paper published by Dolière Francis Somé found some anomalies. The paper was written by Somé while conducting research at the Université Cote d’Azure and with the help of INRIA, a French research institute.
Somé has created a tool that has tested over 78,000 extensions. He concentrated on the most popular including Chrome, Firefox and Opera.
Following his testing, Somé identified 197 extensions that exposed API communication interfaces. This would allow malicious websites access to data stored on the user’s web browser. Somé said the findings were surprising because only 15 of the extensions were developer tools. These extensions often have full control over the browser and would be easy to exploit.
Of the 197 extensions found, fewer than 55 percent had over 1,000 installs. However, 15 percent had installs totalling over