Malware in Browser Extensions

October 19, 2016
Info notes


Today, the web browser is our main interface to the Internet. But the browser on its own has its shortcomings, e.g. we are annoyed that we cannot limit adverts and popups. To fill this gap we have the browser extension, which can be easily added to the browser, offering functionality such as changing the appearance of web pages, improving browsing security, blocking advertisements etc.

Browser extensions are implemented with standard web technologies, such as HTML and JavaScript. They are written by third parties; however, not all third parties have the best interest of the end-user at heart. Malicious browser extensions are being leveraged in various types of attacks, ranging from data theft, spying, and more.

Forecasts of growing security problems around extensions have materialised, as cyber criminals/rogues tap into the rich data contained in Web browsers for profit/manipulation. As the number and popularity of browser extensions grow, so too does the urgency to tackle this important attack vector. Bad programming practices and vulnerabilities also play their role in extension security but the focus of this note is in malicious browser extensions.

Currently, there is little or nothing to protect users against malicious extensions - even those downloaded from official stores[1]. This note aims to raise awareness on the threat of malicious browser extensions and provides some recommendations on limiting the associated risks.

Web Browser Evolution

Before going further, we should clarify some terminology, namely that of plug-ins, extensions and add-ons.

Plug-ins refer to software installed separately to the browser that work in tandem with the web browser to offer additional functionality, e.g. Flash Player. A plug-in can be embedded in a web page and affects only that specific page.

Extensions are pieces of code installed to work within the browser session, but without modifying the base browser code. This allows the browser to perform certain additional functionalities and features not available in the browser by default, e.g. blocking ads on pages visited.

Add-ons is the collective name for extensions, themes (used to change the appearance of the browser) and plug-ins.

In the 90s, web browsers such as Netscape, performed rather basic functions. As their popularity and use increased, there was a need to augment their functionality, and the "add-on" architecture NPAPI was defined. Microsoft Internet Explorer has its own architecture and implements add-ons through ActiveX controls. However, browser add-ons, and more specifically plug-ins like Adobe Flash, had three major weaknesses:

  • They had access to the entire browser session, which makes sandboxing and protection very difficult.
  • Many plug-in, e.g. Flash, were installed across a large number of computers. In cases of vulnerabilities these plug-ins were then patched with varying frequency, leaving a large number of potential targets open for cyber-attacks.
  • Browser add-ons and plug-ins are in general less stable than the browser code itself.

Due to the multiple security issues, as well as the adoption of plug-in-free web technologies such as HTML5, major web browser vendors began to phase out NPAPI support in 2013, which therefore means that newer browsers will no longer support plug-ins.

Browser Web Stores

Each of the major web browsers has their own official store, where one can download browser extensions to deliver the desired functionality. Each of these stores apply various controls to ensure that the code is safe and suitable for distribution to users. Generally speaking, these controls include:

  • Signature mechanism. To ensure that the extension is from the third-party developers claimed, and to maintain integrity. However, this has limited contribution to solving the issue of extension security.
  • Review mechanism. Efficient and effective tools are still lacking, which is evidenced by the number of malicious or flawed extensions that still pass the review.
  • Revoke mechanism – it is possible to report abusive extensions, which can then be revoked/removed from the store, which results in them being uninstalled from the browser.

It is clear, from various independent analysis (see section 5, below), that these controls on their own are inadequate and that there is an urgent need for improvement in screening extensions before they are released to the store.

Extension Privileges

Contemporary web browsers make various APIs available so that browser extensions can perform their functions. These APIs have privileges in order to be able to carry out their tasks. In the real world, such privileges can be abused, either intentionally through malicious code, or unintentionally through buggy code. Unfortunately, more often than not, browser extensions require more privileges than they ought to have. Hence malicious or bogus extensions can have as consequence the injection of advertisements, stealing credentials, keylogging and can affiliate fraud[2].

However, improvements have been made in the way web browsers handle extensions, like protecting user data confidentiality, extension isolation mechanisms, and running extensions with least privileges.

Research and Analysis

Various research and analysis efforts have been conducted into the problem of malicious behaviour in browser extensions. In August 2014 at the 23rd USENIX Security Symposium, an academic research team, presented their findings using Hulk, a tool to elicit malicious behaviour in browser extensions. Using Hulk, they analysed 47940 extensions from the official Chrome Web Store and found that 130 were clearly malicious, while a further 4712 were doing something suspicious.

An excellent analysis of such a malicious extension was carried out by Maxime Kjaer, a computer science student, and is summarised in his blog. This highlights just how cunning the developers of such malware are and how serious the problem is. It also shows that even if the extension itself is 'clean', all it takes to turn a 'clean' extension into something malicious is to download the payload on installation rather than shipping with it. This makes the detection of malicious extensions harder.

Such research and analysis, coupled with close cooperation with the web browser developers, has resulted in many improvements, not only in the vetting of extensions before they are published in the official stores, but also in the web browser extension system itself. It is now also harder to install extensions from outside the stores, a practice known as "side loading".


Stores have implemented a permissions system but, simple extensions - even small ones - often need a lot of permissions. For example, if an extension needs permission to modify web pages visited by the user, it needs to be granted the permission to "access user data on all websites" – it effectively runs by injecting code into the web pages. Of course malware will always try to get as many permissions as possible, as demonstrated by the analysis of the iCalc extension.

To complicate things even further, it is perfectly legitimate for the original developer of an extension to sell it to another party, who is then able to do with it what they want. This case highlights the problem. The new extension owner changes the initially 'clean' extension, incorporating, for example, adware. The new version of the extension is then offered through the store and the extension auto-updates to the new version for those users that already have it installed. If the 'clean' extension previously asked for permissions, it won't need to re-ask for permissions after such an update (unless newly added permissions are required).

It goes without saying that there is a strong onus on the Store owners when it comes to vetting extensions. Various solutions have been proposed in this regard, e.g.: the static analysis of JavaScript code, new web browser extension systems, tools to monitor behaviour through data flow (Sabre and SpyShield) and monitoring of browser extension behaviour. However, we all understand that there is no such thing as perfect security and a holistic approach is therefore necessary, involving all the key stakeholders.


For End-Users

  • Report suspected malicious extension behaviour to the browser store immediately.
  • Regularly check installed extensions, and remove those that are no longer needed. The more extensions installed, the greater the risk of malicious behaviour or a vulnerability to emerge, so keep them to a minimum.
  • Pay attention to the number of installs and reviews an extension has received (this information is available per extension in each browser's store [3]). An extension with very few users (downloads), few reviews, or negative reviews, is something one should probably avoid, while an extension with a large number of users and positive reviews should be safer. Unfortunately, this isn't always true, so always exercise caution!
  • Official extensions made by companies associated with a service should pose less risk, e.g. Microsoft's or Google's extensions are probably safer than extensions made by someone you've never heard of. Again this is not always true thus the user should always be cautious.
  • Before installing, read the information supplied with the extension, especially any permissions required, and avoid installing any extension that appears to require too many permissions or may infringe one's privacy. Moreover, visit the developer's website - they often provide details of the permissions.
  • Avoid downloading extensions outside the stores, and be extra careful if side-loading cannot be avoided.

For Store Owners

  • Improve the automated vetting of extensions – the various research and analysis mentioned earlier has shown that it is effective in detecting malicious extensions.
  • Improve the vetting of extension developers, including those that may purchase an extension, adapt it and make a new version available in the Store. Block/retract any from those that fail the vetting. The vetting process should be continuous – a legitimate developer may become malicious at later date.
  • Ensure that there are effective controls in place in the Store and that the terms and conditions for use, especially for developers/extension owners, are clear and acknowledged.
  • Make it harder to install extensions from outside the Web Store - a practice known as "side loading" – as these sites may not have adequate vetting in place to identify malicious extensions.
  • Make it easy for end-users to report potentially unwanted behaviour of extensions.
  • Make sure that when malicious/compromised extensions are retracted from the Store, the extension is uninstalled from the end-user's browser as soon as possible.
  • Warn the end-user whenever an installed extension has changed ownership, and require reconfirmation of continued use and permissions, or disable/uninstall it automatically.
  • Cater for extensions developed as open source and label them as such in the Store. Open source has a good level of trust.
  • Make all extension permissions visible in the Store, allowing developers to provide more details on how permissions are used.
  • Encourage identification of malicious extensions by having an effective rewards system in place.

For Developers

  • Clearly describe what the extension does, as well the required permissions.
  • Only request permissions that are absolutely required to deliver the extension's core functionality.
  • Request optional permissions instead of "required permissions" when they are needed for optional/additional features.
  • Due to the lack of granularity in permissions, describe why each permission is required and how it is actually used by the extension.

[1] In this note we use the word 'store' to represent an official (controlled by the browser vendor) extension repository where third parties upload their extensions and make them available to users.

[2] Affiliate marketing is a model that involves merchants paying affiliates to drive consumer traffic to a merchant's website. The merchant pays the affiliate a commission for transactions that originate from affiliate activities and efforts. Malicious extensions have been discovered that run a script to replace the legitimate affiliate's number by that of the fraudster's, thus transferring any income to the fraudster.

[3] Mozilla Firefox:
Google Chrome:
Apple Safari:
Microsoft Edge:

About "Info Notes" from ENISA

With the "Info Notes" series ENISA aims to give interested readers some background information and recommendations about NIS related topics. The background information and recommendations derived from past experiences and common sense, and should be taken as starting points for discussions on possible courses of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more about the "Info Notes" series (

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information