Computer Hygiene Part 1 - Browser Extensions

in security •  7 years ago  (edited)

Browser Extensions


Expanding the capabilities of your web browser through the use of plug-ins is something many of us do. It's simple and easy to browse the Chrome Web Store or Add-ons for Firefox pages and stock up on tons of free, useful, and novel extensions to increase productivity, add features, or simply change the browser aesthetic.

Unfortunately, browser extensions are often built on technologies like HTML, JavaScript, and CSS that can be exploited to perform malicious functions. With cross-browser extensions gaining support, the userbase for popular extensions is growing into the millions.

Potential Risks


Recently, the Chrome Web Developer extension created by Chris Pederick was compromised, effecting over a million users. Pederick tweeted out a notice explaining that he had fallen victim to a phishing attack and accidentally handed over his Google account credentials. The attacker used this to modify the extension and push an update that infected everyone using it.

This is not the first time, or the last, that this sort of attack will happen. Many of these attacks are aimed at injecting ads into your browser, which generate revenue for the attacker. Malicious code could also be embedded in these ads, allowing for further infection to spread. Even worse, keyloggers and clipboard sniffers could be added to the extension, potentially compromising millions of users sensitive information.

There was only one person that needed to be compromised in order to effect millions, indicating that this security model is incredibly flawed.

What You Can Do


The first thing you should do is cut down on all unnecessary browser extensions.

On Chrome, go to chrome://extensions/ and review everything on this page. Click the trashcan icon to delete all extensions you don't recognize or use. Additionally, if you use incognito mode when accessing sensitive information websites, make sure that the appropriate extensions are able to run by checking the "Allow in incognito" option.

On Firefox, go to about:addons and select the "Extensions" tab on the left. Go through and prune out everything unknown or unnecessary.

If you had unknown extensions, you're going to want to think about how they got there. Do some google-fu and research the extension name, find out if it's legitimate and if it is automatically installed with any software you use. You want to understand why and how things went wrong when they do in order to prevent them in the future.

Recommended Extensions


Panopticlick is a neat tool from the Electronic Frontier Foundation (EFF) that can tell you how well your browser protects you from common tracking methods. You will want to pass at least the first three tests, and ideally be protected from fingerprinting as well.

  • Privacy Badger - developed by the EFF, helps block spying ads and trackers
  • HTTPS Everywhere - developed by the EFF, forces HTTPS on all sites
  • Self-Destructing Cookies - automatically deletes cookies, add sites to the whitelist if you want to keep cookies for it
  • Less is more - avoid all unnecessary browser extensions, they are a major risk
  • AdBlock/uBlock - prevent ads from loading to decrease risk of accidentally clicking on one
  • NoScript/ScriptSafe - stop background scripts from running without your consent

For cryptocurrency users


Let me know in the comments below what browser extensions you recommend!

Leave a like or even resteem if you found this helpful. If you want to directly support my work, you can send ETH or ERC20 token donations to Tomshwom.eth. Find me on Reddit.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Thank you @tomshwom for the nice article. Upvoted!

If you deal with cryptocurrencies, then this means that you have become your own bank. So, we better take security measures to protect your money. We are used to others taking care of that for us. Unfortunately, that is not happening in crypto land. Everyone is on his own.

Browser extensions are one side of the problem. I would really appreciate it if someone can write a comprehensive guide on security for crypto investors.

Absolutely! This is only part 1 of a series of short, simple mini-guides for keeping your computer clean, but more crypto-specific guides and comprehensive tutorials are on the way. There's just so much to cover, it's difficult to get it all right and updated while keeping it digestible.

Then maybe, you should make a series about the subject. I am sure many people are interested. I know I am.

Hi Tom,
We have been recently reviewing my security behaviors through a reddit post. I just wanted to let everyone on here know that you have been a tremendous help to me. And I am forever grateful that you have given your time to assist those of us less security savvy.

chrispederick Chris Pederick tweeted @ 02 Aug 2017 - 15:25 UTC

The Web Developer for Chrome account has been compromised and a hacked version of the extension (0.4.9) uploaded 😞

Disclaimer: I am just a bot trying to be helpful.