back to article 'Looming menace' of evil browser extensions to be demo'd this week

A security researcher has developed a proof-of-concept browser botnet extension to illustrate the perils of what he describes as a "looming menace". Zoltan Balazs of Deloitte Hungary developed the code to illustrate the risk from malicious browser add-ons, which he argues anti-virus vendors are ill-equipped to defend against …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    my bank will ONLY work in the explorer browser

    does not leave me with too may options to avoid it with a clean, alternative browser...

    1. xyz Silver badge

      Re: my bank will ONLY work in the explorer browser

      err...I don't see the word (internet) explorer in the article, it only mentions "clean" browsers.

    2. Lee Dowling Silver badge

      Re: my bank will ONLY work in the explorer browser

      And, not being funny, but I used that as the reason I gave when I changed banks TEN YEARS AGO and thought it perfectly valid even then. NatWest literally only allowed you to login with Netscape (which was old even then) or IE and I told them they could fix it or lose me. Probably didn't even notice my loss, but I cited it as the reason I moved to a provider who DID recognise what online security actually means.

      Requiring IE is not an excuse for sloppy programming practices. And if you don't program sloppily, you don't need to enforce the user's browser.

      My own bank (and even my pre-pay credit card company, mobile phone company, etc.) all let me login using my browser of choice (Opera), on the device of my choice (Android phone, laptop, PC) and never complains (unless I use a seriously out-of-date version of something with known security problems that affect the banking component, as they should).

      Hell, they keep trying to offer me a free version of McAfee, despite the fact that I don't use Windows half the time I'm logging in, but I put that down to some marketing bright-spark - but it's not compulsory, which I put down to some IT bright-spark.

      Would you tolerate a bank that says they'll only allow you to manage your account if you do it from a public place where everyone can hear you? Then don't tolerate sloppy web programming posing as pseudo-security.

    3. Test Man
      Facepalm

      Re: my bank will ONLY work in the explorer browser

      You never heard of the "Internet Explorer (No Add Ons)" shortcut? Use that. Problem solved.

  2. Anonymous Custard

    App-store

    Browser developers should adopt an App Store-style model and deny the installation of browser add-ons obtained from outside this ecosystem by default

    Doesn't Chrome already do this, at least in the current version?

    I seem to recall a couple of weeks ago trying to install an extension that wasn't from their store and being blocked because of that fact?

    1. JDX Gold badge

      Re: App-store

      You can certainly install plugins as normal... I have my own plugin installed.

    2. Argh

      Re: App-store

      Yes, I think that Chrome blocks installations (certainly of extensions) from outside the Chrome store, unless you put some effort in to working around it by going to chrome://extensions and drag&dropping the downloaded extension in to it.

      That worked for me installing a greasemonkey script, anyway.

      I'm not sure how thoroughly curated the Chrome store is though. If it's like Play store, anyone can upload an extension.

    3. Anonymous Coward
      Anonymous Coward

      Re: App-store

      Chrome does all of that, though its blacklist is a list of extension identifiers. Nothing stops the bad guys from generating a bazillion of those -- so long as they don't distribute through the Web Store. I wonder if any antivirus companies have signatures for malicious extensions?

  3. dssf

    What about Dolphin Browser?

    I hope he tests and discloses hownwell Dolphin fares.

    1. Anonymous Coward
      Anonymous Coward

      Re: What about Dolphin Browser?

      I'll see your marine mammal and raise you a Lynx.

      I demand to see proof of concept text based assimilation.

  4. Matt_payne666

    seems odd that everyones most hated browser is not in the list of exploitable systems

    :)

    1. Anonymous Coward
      Anonymous Coward

      You noticed that Opera was absent too then.

    2. Anonymous Coward
      Anonymous Coward

      How many add-ons are there for IE anyway? Hardly any, hence on this front IE is more secure than the rest.

      I actually use FF and Chrome as my main browsers (FF until it grids to a halt then in exasperation switch to Chrome). For banking I use IE9 without any add-ons except LastPass and which is isolated from man-in-the-middle and other interferences by Prevx / WRSA and OpenDNScrypt.

      I will definitely get flamed for using IE for banking, but I do know what I am doing unlike some of you lot.

      1. Roland6 Silver badge

        re. get flamed for using IE for banking

        But I see that you're using Prevx, a product designed to help protect against man-in-the-browser attacks and as far as I can see makes IE more secure than either FF or Chrome.

        I've been using Prevx on a bunch of student and teenagers laptops for over a year now and none (as yet) have required any attention other than a forced update of components not automatically updated over the web. The other security product on these systems is naturally Microsoft's as it gets quietly updated as part of Windows/Microsoft update.

      2. Anonymous Coward
        Anonymous Coward

        According to their system requirements it's not even compatible with Internet Explorer 9

        http://www.prevx.com/freescan.asp#systemreq

        There are free products out there that do the job well enough for me. Never even heard of Prevx to be honest.

  5. Brewster's Angle Grinder Silver badge
    Thumb Up

    I came to this article expecting to be outraged by a self-serving hyperbole. Then I read it and realised the researcher was right.

    1. This post has been deleted by its author

  6. philbo
    Trollface

    "Evil" browser extensions?

    Does that include the Google/Ask/otherpointless toolbars?

    1. Anonymous Coward
      Anonymous Coward

      Re: "Evil" browser extensions?

      Memories of those things at the height of their "popularity" make me shudder every time I see someone rapidly clicking their way through an application's install process without paying attention.

  7. Dr. Vesselin Bontchev
    Boffin

    Much ado about nothing

    1) Most browsers already implement the App Store model for extensions distribution. Google even went as far as to make installing extensions (or even user scripts!) from other sources a major pain in the butt.

    2) This isn't, of course, a complete solution to the problem, since malicious extensions WILL find their way in the app store - as has happened with Android apps in Google Play.

    3) Where exactly is the problem for the anti-virus developers?! The extension arrives as a file. Any file can be scanned before the browser is allowed to access it. If it contains known malware, access to it will be denied. If the malware is not known, it doesn't matter whether the virus scanner could scan it or not. Even the already installed extensions exist as files (or sets of files) on the file system of the computer and can be scanned.

    About the only things worth noticing in this idea are that browser extensions are cross-platform (but, then, so is JavaScript - which is no coincidence, since browser extensions are normally written in JavaScript) and that they allow easy interception of the operation of the browser.

    The idea isn't even new; I remember somebody from Symantec covering this issue (as well as the "widgeds" issue - as in Yahoo! Widgets, etc.) on some Virus Bulletin conference years ago.

  8. Anonymous Coward
    Anonymous Coward

    were can i download the addon

    WERE CAN I DOWNLOAD THIS ADDON. I THINK IT WUD BE GOOD ADDITION TO FF.

  9. James 100

    This is why ...

    ... I was so irritated when some survey website wanted me to install their own plugin to complete some survey. I never even considered it of course - ditto the "this survey requires IE" one: straight to /dev/null.

This topic is closed for new posts.

Other stories you might like