Seeing the Unseen: Preventing Breaches by Spotting Malicious Browser Extensions

How Falcon Exposure Management helps security teams reduce browser extension risk

As workforce productivity increasingly depends on web-based applications, browsers have become essential gateways to the “connectivity economy.” According to recent data, 93% of desktop internet traffic in 2023 traversed through four popular web browsers.

With their diverse functionalities and use cases, browsers are the most used desktop applications. To further expand their utility, it’s common to install and use browser extensions: small software modules that enhance and personalize the functionality of web browsers. Users install them to tailor their browsing experience to better meet their needs and preferences, and they range from ad blockers and security tools to productivity enhancers and shopping assistants. Like regular applications, however, browser extensions can become sources of malware and be exploited by attackers, which means they carry significant risks.

In this blog, we’ll explore why browser extensions are particularly attractive to threat actors and how new capabilities in CrowdStrike Falcon® Exposure Management can help security teams detect and assess these risks to stay ahead of attackers.

What Makes Browser Extensions Problematic

When an end user installs a browser extension, the permissions granted open the door to a world of possibilities — and vulnerabilities. Depending on what’s allowed, these extensions can access a veritable treasure trove of information: everything from web traffic and saved credentials to session cookies, clipboard data and beyond. Though legitimate extensions often require such permissions to operate effectively, in the wrong hands, these permissions can become tools for exploitation, giving bad actors the keys to critical data and private information.

The rich data obtained through such means can subsequently be weaponized and monetized by criminals. For example, using privileged data, they can craft better phishing emails or use credentials harvested to carry out identity-based attacks.

CrowdStrike’s analysis of browser extensions in our production environments indicates that well over half of them require what may be considered excessive permissions. This means that these permissions carry strong risks, as they may allow threat actors to see all web traffic or manipulate browser tabs.

Further, because extensions are embedded into browser applications and do not create process start events, they can be harder to detect than ordinary desktop applications, allowing threat actors to obfuscate and persist their malicious activities.

How Adversaries Deploy Malicious Extensions

Extensions can be relatively easy to develop, but they don’t typically come with a web browser out of the box. Therefore, the act of deploying malicious extensions onto target victim browsers is an important part of the tradecraft. Adversaries achieve this by employing various tactics.

One common method is to list deceptive extensions on browser stores. Deception can be achieved in a number ways, including by mimicking legitimate well-known vendor product names or by publishing extensions with popular productivity purposes.

Another popular tactic is ownership takeover, where threat actors purchase or otherwise take over previously legitimate browser extensions that already have a user base and push out malicious updates to compromise target systems.

The most dangerous method is perhaps “sideloading,” which involves installing browser extensions from sources outside the official web store by directly adding the extension files. This method bypasses the usual safeguards that come with the browser stores. Attackers exploit this method by bundling malicious extensions with seemingly legitimate software applications. When users install these applications, the hidden extensions are also installed, granting attackers access to the users’ browser and data.

Even with the web store method, browser extensions can expand their permissions upon installation and download additional malicious payloads. This is a popular obfuscation tactic where adversaries publish extensions to web stores with minimal initial permission requirements but expand their footprint with harmful intentions. A case in point was the notorious PDF Toolbox malicious browser extension, which downloaded additional payloads upon installation to enhance its capabilities and persistence.

Figure 1. Cyber kill chain involving browser extensions.

Falcon Exposure Management for Browser Extension Visibility

Fortunately, Falcon Exposure Management, a module of the AI-native CrowdStrike Falcon® cybersecurity platform, leverages its single, lightweight agent to provide comprehensive asset visibility and instant exposure assessment. This enables security teams to further close the security gap by detecting yet another source of exposure in the form of browser extension risks.

Extension Inventory

Detecting and cataloging the very existence of extensions is the first step toward understanding their risks. With Falcon Exposure Management, security teams can compile a comprehensive inventory of all extensions installed on Chrome and Edge browsers in their enterprise environment, whether it’s Windows or macOS. This capability doesn’t just list extensions, it offers insightful analytics, revealing extensions with the most and least installations, the most and least usage, and much more.

Extension Risk Assessment

From here, security teams can assess extension risks in a number of ways. For starters, installation methods are shown related to each extension, uncovering sideloaded applications and providing risk context.

Falcon Exposure Management also shows the vendor name captured from the extensions, which can range from legitimate well-known vendors all the way to those with missing artifacts in the name field. Web store listings for the extension, if found, are also provided.

Perhaps the most important measure of risk is the permission level associated with each extension. Because the types of permissions can be so varied, CrowdStrike computes a heuristics-based “permission severity” rating to facilitate the ease of assessment. For example, if the permission allows the extension to “intercept web traffic,” it’s assigned a permission severity of critical. Alternatively, if the permission allows the extension to control the browser tab, it’s assigned a level of high. Falcon Exposure Management provides detailed information on permissions along with the severity rating for ease of investigation.

For a security analyst evaluating extension risk, a sideloaded extension with a “critical” permission severity rating, no corresponding store listing and a missing vendor name can signal a suspicious extension requiring further evaluation or more aggressive intervention.

Taking Actions

Beyond these insights, customers benefit from the platform’s broader capabilities to take actions on these risks. For example, security teams have the ability to configure policies to automatically group browser extensions with critical permission severities into a particular host group. They can also trigger automated actions through the native CrowdStrike Falcon® Fusion SOAR workflows, such as creating tickets to alert IT system owners to investigate or remediate suspicious extensions. Security teams can also set up automated workflows to trigger notifications via email, Slack, etc., to keep teams in the loop.

With Falcon Exposure Management, these assessments take place seamlessly and instantaneously with the Falcon agent. This allows security teams to monitor their overall attack surface in its various forms, leaving adversaries nowhere to hide.

Figure 2. Falcon Exposure Management browser extensions dashboard and details.

Get Started Today

If you’re an existing Falcon Exposure Management or CrowdStrike Falcon® Discover customer, give the browser inventory capability a try by going to Exposure Management > Applications > Dashboards to view the new browser extensions overview dashboard and see extension-specific data. If you’re not using these modules already, talk to your CrowdStrike representative to request a demo.

Additional Resources

Related Content