Bad-ons: Hazardous helpers
Download videos and music with one click, boost your surfing speeds, or block annoying ads. Firefox and Chrome are so popular because you can add smart new functions to these browsers in just a few clicks thanks to little extensions. But what many don’t know is that these add-ons are really risky.
If you install a browser extension, you’ll probably be jumping for joy about the cool new features and nice little extras you’ve added to your browser. But, what these little helpers get up to in the background is anyone’s guess. This is why we are only too happy to go installing them unsuspectingly and without a care in the world. Users trust the seemingly safe “official” download sites such as Firefox Add-ons or the Chrome Web Store. On top of this, users skip running any sort of a scan using an up-to-date virus scanner as they feel they’re perfectly safe. The result: With each add-on they welcome a guest into their home who can cunningly hide its true intentions. Let’s take Adblock Plus as an example. This popular ad blocker can read and change all the private information, such as the passwords you enter, on every site you visit. This is because Adblock Plus, just like many other add-ons, enjoys the same rights as the browser itself, making these capabilities the perfect gateway for password Trojans.
Mini apps with maxi rights
Add-ons are tricky little devils. As they’re “only” extensions to installed programs, they can be added with a single click – you don’t even need admin rights to install them. What’s more, the Windows Firewall doesn’t block them nor does a virus scanner analyze them because they’re an extension of a main program. Google seems to be fully aware of these facts, as ultimately the Chrome developer itself highlights that your privacy is at risk if add-ons are enabled. The browser only cuts the flow of juicy data to all the installed add-ons when in incognito mode, which is the mode you switch to when you want to surf anonymously. This suggests that when in normal browsing mode you run the risk of being spied on or may have already fallen victim to traps that exploit vulnerabilities in add-ons.
Just waiting for the day
Sights set on online banking
One thing’s for sure: The catch is worth it. Even high security standards like SSL or TLS would be ineffective, throwing the door open to hackers to get their hands on the logins for every single internet account. Online banking attacks are also a possibility. The add-on could route a TAN (transaction authentication number) to the criminals’ server instead of the bank. Armed with the login details and the TAN, nothing would stand in the way of a juicy wire transfer ending up in the gangsters’ account. Even the best security programs would face huge problems with this approach. This is because when a user logs in to an online service, if the Trojan is activated the login data is written in parallel to a central file – and this file can then be read straight away. Virus scanners are powerless in this regard as they don’t detect any sign of manipulation.
Protect yourself against bad-ons
Even if nothing is 100% secure, you can protect yourself in the following ways:
- Install a browser like Opera which – it has all the important security add-ons already in place and is a safe choice.
- Only install add-ons from safe download sites such as Firefox Add-ons or the Chrome Web Store.
- Don’t go installing loads of extensions, limit them to only the key ones. If you don’t, you’ll not only go throttling performance but also increasing the risk of potential attacks.
- If an installed add-on starts asking for new permissions, this should set off the alarm bells.
- Have a good antivirus installed – just in case!
Otherwise it’s down to the browser developer to restrict add-ons’ access to only certain servers. This would prevent code crackers from being able to inject malicious code via third-party servers in the first place.