A US senator is calling on the Department of Homeland Securitys cybersecurity arm to assess the threat posed by browser extensions made in countries known to conduct espionage against the US.
“I am concerned that the use by millions of Americans of foreign-controlled browser extensions could threaten US national security,” Senator Ron Wyden, a Democrat from Oregon, wrote in a letter to Christopher Krebs, director of the DHS Cybersecurity and Infrastructure Security Agency. “I am concerned that these browser extensions could enable foreign governments to conduct surveillance of Americans.”
Also known as plugins and add-ons, extensions give browsers functionality not otherwise available. Ad blockers, language translators, HTTPS enforcers, grammar checkers, and cursor enhancers are just a few examples of legitimate extensions that can be downloaded either from browser-operated repositories or third-party websites.
Unfortunately, theres a darker side to extensions. Their pervasiveness and their opaqueness make them a perfect vessel for stashing software that logs sites users visit, steals passwords they enter, and acts as a backdoor that funnels data between users and attacker-controlled servers.
Extensions: A short, sordid history
One of the more extreme examples of this type of malice came last year when Chrome and Firefox extensions were caught logging the browsing history of more than 4 million users and selling it online. People often think that long, complicated Web URLs prevent outsiders from being able to access medical or accounting data, but the systematic collection, dubbed DataSpii, proved the assumption wrong.
Among the sensitive data siphoned by the extensions was proprietary information from Apple, Symantec, FireEye, Palo Alto Networks, Trend Micro, Tesla, and Blue Origin. The Dataspii extensions also collected private medical, financial, and social data belonging to individuals. The collection only came to light thanks to the dogged and costly work of an independent researcher.
Wydens letter mentions the case of an extension provider thats from China, a country critics say pays hackers and others to steal source code, blueprints, and other proprietary data from its foreign adversaries. The senator wrote:
For example, my office has been investigating Genimous Technology, a Chinese company that, through a series of shell companies in offshore jurisdictions like Cyprus and Cayman Islands, controls a network of web browser extensions used by more than 10 million consumers. Genimous subsidiaries offer dozens of browser extensions, which provide users with some limited, free functionality, such as weather reports or package tracking, in order to gain access to users computers. The true purpose of Genimous browser extensions is to change users search engine to one offered by Verizon Media, which pays Genimous a fee for doing so.
I am concerned that the use by millions of Americans of foreign-controlled browser extensions could threaten US national security. In particular, I am concerned that these browser extensions could enable foreign governments to conduct surveillance of Americans.
Neither Genimous nor Verizon immediately responded to a request to comment for this post.
There are at least two reported cases of foreign governments using extensions in espionage hacks. The more advanced attack came to light in 2017. It involved Firefox extensions used by Turla, a Russian-speaking hacking group that many researchers believe works on behalf of the Kremlin.