Cyber Defense eMagazine December 2019

118
flawed method in which Evernote interacted with websites allowed hackers to use cross-scripting
techniques to circumvent the browser’s Same Origin Policy (SOP). SOPs prevent users from accessing
information from web pages by utilizing scripts from other pages from the same source. Fortunately,
following the discovery of this vulnerability, Evernote released a vulnerability patch in an update to fix the
issue.
Earlier this year, hackers used an extension called SingleFile, which allowed users to save and archive
webpages as single HTML file, to spoof login pages and phish unsuspecting users’ credentials.
Unfortunately, these are just two examples of the many instances of browser extension exploitation.
Fortunately, Google is responding to these issues. After announcing last fall that the company planned
on increasing user protections for third-party extensions and other applications, Google is ramping up
restrictions to reduce the exposure of user data. All extensions are only allowed to request necessary
information in order to implement or update application features. Google is also requiring that extensions
which handle users’ personal information to publish their privacy policies and meet updated cybersecurity
guidelines.
However, the problem remains that browser extensions still don’t operate like web applications, meaning
they are not protected by the same SOPs. Browser extensions are still a vessel by which attackers can
“phish” users by using the extension to avoid the SOP protections maintained by the browser itself.
Hackers can then extract user logins/passwords and access the victims’ accounts, empowering them to
use the stolen credentials for malicious theft of money and data.
In a study published in January, researchers from the French institution Université Côte d’Azur, found
that 197 extensions from various internet browsers, such as Chrome and Firefox, and were susceptible
to the threat of malicious websites. These rogue sites had bypassed SOP protections and were able to
gain access to victims’ information.
Cyber attackers are launching these malicious extensions under the guise of useful applications. By
offering naïve users (often the employees of targeted organizations) a browser add-on for various tools
such as grammar checks, archiving assistance, and more, hackers are able to carry out browser-based
phishing schemes that ultimately trick victims into exposing their credentials and private information which
the cyber criminals can then exploit.
This is all part of the great and growing problem of browser-based cybercrime. Most users are now well
aware of the threat of email phishing attacks, but many don’t know just how numerous and widespread
the rest of the attack landscape is. There are just so many options at hackers’ disposal — in addition to
browser extensions and email, pop-up ads, social media, instant messengers, and more are all available
attack vectors for malicious activity.
The responsibility definitely lies with the app stores themselves to vet the safety and security of incoming
apps, which is no easy feat as there’s many ways to bypass security tools looking for specific malware
and attributes that can be masked with minimal coding.
As a security team, there’s also a few steps that can be taken to reduce a user’s exposure. Cybersecurity
awareness training and prohibiting new software downloads to corporate computers without the express
authorization of the IT team are a couple of examples. Employers should also do their research to find