Google and Mozilla over the past few weeks have taken steps to remove problematic extensions and add-ons that steal user data and execute remote code.
Browser extensions and add-ons are small programs that users can install on their browsers to enhance their web surfing experience. They range in functionality, such as widgets to set a search engine, ad-blockers, and security tools. However, these extensions pose a risk because users trust the code running without verifying that there is no unexpected or malicious behavior.
Google Bans Updates
The Google security team has indefinitely suspended the ability to publish or update any commercial Chrome extensions on the Chrome Web Store due to a spike in the number of fraudulent extensions. The ban impacts all paid extensions, including those that require a fee before installing, those that rely on monthly subscriptions, and those that unlock features via one-time in-app purchases. Extensions still in the Chrome Web Store are still available--but developers are blocked from publishing new paid extensions or updating their existing ones.
The Chrome Web Store detected a "significant increase" in the number of fraudulent transactions involving paid Chrome extensions earlier this month, Simeon Vincent, developer advocate for Chrome Extensions, wrote on the Chromium Extensions forum. Google engineers described the fraudulent transactions as happening "at scale."
Password manager Dashlane is among those impacted by the ban. However, it's worth noting that less than 10 percent of extensions in the Chrome Web Store are commercial extensions.
"This is a temporary measure meant to stem this influx as we look for long-term solutions to address the broader pattern of abuse," Vincent wrote. He did not give a timeline for when the ban will be lifted but said developers who are blocked from publishing or updating their extensions can request an appeal.
Mozilla Cleans House
Mozilla’s add-on review team banned 197 Firefox add-ons outright for executing malicious code, stealing user data, and using obfuscation to hide their source code. Unlike the situation with the Chrome Web Store where the extensions are still available, Mozilla removed the add-ons entirely from the Mozilla Add-on portal and also automatically disabled them from Firefox for any users who had already installed them.
Developer 2Ring was impacted the most by this ban, as 129 of its add-ons were removed from Firefox for downloading and executing code from a remote server. Mozilla’s rule is that all code must be self-contained and not downloaded from remote locations. Six were banned for illegally collecting user data, and three for being fake premium products.
Rolimons Plus, an extension linked to the Roblox online multiplayer video game, was blocked for “collecting ancillary user data against our policies.”
As with Google Chrome, Mozilla developers are able to appeal the bans.
Are They Necessary?
Browser extensions are "now what Flash has been for the past decade," said SANS Institute's John Pescatore. "Nothing users really need, just vulnerable code to help advertisers and thieves tick users into questionable behavior," he said.
Forcing programs to go through official marketplaces before they can be added to the browser reduced the total number of applications, but malicious ones still make it through. The bans and removals are a good time to pause and review all the extensions being used, and decide whether they really are needed, and remove if they are not.