Years ago I remember having a discussion with a colleague on interesting areas of research in information security. He brought up the idea of malicious browser plugins/extensions and mentioned creating something that could help raise awareness. I poo-pooed the idea at the time but the tides have changed according to a recent article on The Register. It looks like Zoltan Balazs has created a proof-of-concept with the forthcoming release of an extension that offers capabilities that any malicious hacker would jump for. The extension works on most recent browser versions and current operating systems with a notable exception of Internet Explorer.
So how do we defend against potential malicious extensions? As a first step Zoltan mentions augmenting existing antivirus capabilities to look deeper inside browsers to extend down to the extension level. Also browser makers could adopt an Apple-like closed “store” by default where they vet extensions for security risks prior to publishing. And finally training organizations could start incorporating warnings of malicious extensions into their existing awareness programs so users are more careful about the extensions they install.
via The Register
A security researcher has developed a proof-of-concept browser botnet extension to illustrate the perils of what he describes as a “looming menace”.
Zoltan Balazs of Deloitte Hungary developed the code to illustrate the risk from malicious browser add-ons, which he argues anti-virus vendors are ill-equipped to defend against.
Balazs is due to demonstrate how the technology works on both PCs and Android phones at the Hacker Halted conference in Miami, Florida later this week.
Balazs is also expected to demonstrate how the proof-of-concept code might be used to bypass Google’s two-step verification process.
Is the Apple-like closed ecosystem the best way to address the potential of malicious extensions? Today’s post pic is from BullGuard.com. See ya!