Have you thought about how browser extensions can be dangerous for your website? Any one of us may install a new extension without giving it too much thought, but it turns out that you may put your own website at risk if you don’t do your homework first. Keep reading to find out how unsafe browser extensions may harm your website.
Last month, a new client asked us to run a security check on their website. Their visitors were seeing this type of warning when they accessed the website, so our client suspected they’d been hacked.
We added the site to Sucuri for monitoring. Sucuri soon alerted us that the site had been blacklisted by McAfee, further confirming something was wrong.
Tracking down the issue was tricky for a couple of reasons:
- Despite the malicious code being inside the database, our usual security scanners, and several other backup scanners, didn’t note there was a problem since the code looked like ordinary JavaScript*.
- I wasn’t able to see the issue myself because virus scan programs detected the problem when a cookie was placed on the computer, and I was running a cookie-free browser.
In the end, the Immuniweb site helped us find the problem because it listed out adware-type links like promclickapp.biz and rasenalong.com in the “Third-Party Content Analysis” section. The website shouldn’t have had any type of adware included in its content, so this was the red flag we were looking for. Once we narrowed down the issue to cookies, I ran a browser allowing cookies and was able to see the cookies added via the browser tools. With the links noted by Immuniweb, I was able to find the malicious code inside the website.
*It’s important to note that JavaScript in and of itself is not dangerous, and has many legitimate uses on a website. However, you (or your web developer) should always be aware of JavaScript being used on your website, and be familiar with its source, to ensure it is legitimate and clean.
What is a browser extension?
A browser extension is a small piece of software that you can add to your internet browser for extra functionality. There are all types of extensions. Any web user might add one that allows them to add images to Pinterest, for example, or add a product to their Amazon wish list. Other extensions block ads on websites. A web developer may use extensions that help her determine fonts used on a web page, or verify a website’s accessibility status.
Browser extensions show up to the right of the address bar in Chrome or Firefox.
Why does this hack mean browser extensions may be dangerous?
In this case, we believe the client’s previous web developer was using a browser extension that either was illegitimate, or became infected at some point. Searching for more information on the origin of the hack, and the URLs rasenalong.com and promclickapp.biz led us to this article about LNKR, “malware that uses browser extensions for Chrome to track browsing activities of users and overlay ads on legitimate sites.”
Vice.com provides further explanations on how this type of attack happens and why it’s important to be careful about the browser extensions you use.
When the previous developer edited content inside a page on the website, the extension added JavaScript adware code to the content.
On the client’s site, using Elementor, the scripts appeared like this in the text editor window:
Switching to the text tab, the script code appeared like this:
How can you check if your browser extension is safe?
Ghacks.net provides us with some tips on how to check whether a Chrome browser extension is safe. The same tips apply to Firefox or other browser extensions as well. Ghacks.net suggests we check the web store’s listing. Does the language used make sense, and do the screenshots correspond to the purpose of the extension? If the extension has its own website, check that out as well. Verify the permissions the extension requests when you’re installing it. If it asks for more permissions than it needs to perform its functions, don’t continue the installation.
Keep in mind that the tips provided are indicators, not completely fail-safe methods. Less is more when it comes to browser extensions and security, so only install those you absolutely need.
In the Chrome store, you can check an extension’s ratings by clicking on the stars under its name. Read the reviews to confirm that they sound legitimate. However, some extensions may be safe, but not widely used. A lack of ratings doesn’t mean an extension is not safe. Likewise, high ratings don’t mean the extension hasn’t been purchased by another entity since it was created, and modified to include adware or viruses. Still, it’s a good indication that everything is above board.
How else can you protect your website from dangerous browser extensions?
Besides verifying extensions before installing them, here are some other steps you can take to protect your website from malicious extensions:
- Audit your extensions on a regular basis.
Do you still need them? If not, uninstall them. Are they still safe? Search the web for information about them, verify their permissions. - When editing your website, use an “incognito” or “private” browser window.
In these types of windows, your extensions won’t be active. Even if one has become unsafe, it won’t be able to insert malicious code into your website. - Run regular malware and virus scans on your computer.
Most virus scan software (McAfee, Norton, Avast), can also alert you to PUPs (potentially unwanted programs), which are often adware. - Run regular security scans on your website to be sure it is safe.
Services like Sucuri check your website against various blacklists and alert you if your site has been blacklisted.
If you think your website has been hacked and you need help cleaning it up, get in touch. If you want help keeping your website secure on an ongoing basis, check out our security packages.
