ALPS blog

The plugins I called …

by Udo Schneider, IoT Security Evangelist Europe

Who doesn’t know them – the ever-popular little helpers? Whether it’s the small tools that make life on the desktop more pleasant or plugins that simplify daily workflows in programs. Specifically, we are talking about plug-ins in the form of browser extensions.

The same precautions apply to these as to the installation of any other software: before installing them, make sure that the software comes from a trustworthy source and is not compromised. The browser manufacturers’ “marketplace pages” help here: the extensions listed there have withstood at least a cursory check. Often even a test for malware.

But let’s be honest: When was the last time you “cleaned out” the plugins or extensions in your program or browser? And of those that remained: Have you checked if they are still trustworthy?

These little helpers tend to go unnoticed over time – especially if they perform the promised function to your satisfaction. And this is exactly the crux! Especially with automatic updates, it is possible that not only new and desired functions come to the computer, but also unwanted ones.

This is what happened with the popular browser extension “The Great Suspender” for Chromium-based browsers. This open-source extension was maintained for years and was able to gain a large user base of over 2 million installations over time. However, the work became too much for the original maintainer, so in mid-2020 he passed on the maintenance to a new maintainer and also sold him the rights and accounts (for the Google Chrome web store) [1]. Until October 2020, little changed for the time being. Then, however, users found evidence of unauthorized tracking functions and provisions for dynamically reloading code from external servers in the source code. In short, the popular extension had been “extended” into a potential spying and code execution platform.

So, to summarize, we have an extension that was installed on many systems and – quasi via “autoupdate” – was enhanced with spyware features. To make matters worse, Google did not put this extension on the exclusion list until early February 2021 and warned users directly that it contained malware. [2] This means that the backers potentially had access to millions of installations from at least October to February!

There are lessons to be learned from this (but unfortunately also from other cases in the past):

  • Small helpers like plugins and extensions are just as critical security-wise as “big” applications and should also fall under the same processes (review, patch management, etc.).
  • Open source is not a panacea: In this specific case, the extension was open, free and free of charge. And yet (after the maintainer change) spying features were introduced. Of course, one could argue that it was precisely because of open source that this was eventually discovered. That is correct. But even open source software usually has dependencies that can be compromised. This happened, for example, in popular Ruby libraries that tested the strength of passwords and contained a backdoor [3] or stole cryptocurrency outright [4]. A classic case of supply chain attacks, in other words.
  • Endpoint/network monitoring can be a massive time saver: More than four months passed between the insertion of the spy code and Google’s blocking of it. In the meantime, monitoring systems could have easily detected the communication to the (previously already known!) backend servers and blocked them if necessary!

In the end, the conclusion is to validate every software component regularly, no matter how small it may be. And strictly speaking, this applies not only to the component itself, but all its dependencies as well. However, since in practice this is only feasible up to a certain depth, external monitoring systems are also a good supplement.

This article was first published in the Security Newsletter of LANline, WEKA Fachmedien GmbH.






n subscribe to the newsletter free of charge here.


Featured News