Browser Extensions Can Have Malware: My Shock of “The Great Suspender” Chrome and Edge Extensions

Image for post
Image for post
Photo by Michael Geiger on Unsplash

For a couple of weeks, I have been pondering whether my browser extensions could be a source of vulnerabilities. It turns out they can!

A couple of days ago, I received a notification from the Microsoft Edge browser warning me about malware in one of my extensions: The Great Suspender.

Image for post
Image for post

I started panicking, so I decided I would start researching this. I found the GitHub repository for The Great Suspender extension. I searched for “malware” in the open issues and surprisingly found a relevant issue.

SECURITY: New maintainer is probably malicious

Here are a couple of snippets from the issue that increased my concerns.

On November 6th, @lucasdf discovered a smoking gun that the new maintainer is malicious.

Using the chrome web store version of this extension, without disabling tracking, will execute code from an untrusted third-party on your computer, with the power to modify any and all websites that you see.

I have been running anti-malware software and running scans daily, and there were no reports of malware. It occurred to me that anti-virus and anti-malware might only catch malware running on the machine.

Fortunately, I have been running the Malwarebytes browser extension for a few months. I hope this helped mitigate some of the issues, yet the malware might have been present since November 2019 (that more than one year ago at the time of this writing).

I started to take action right away.

  • I uninstalled the extension from the Microsoft Edge browser. Edge had already disabled it for me and no longer allows anyone to install it.
  • I uninstalled the extension from the Chrome browser. I also reported abuse since Chrome still allows anyone to install it.
  • I fully cleaned my browsers by clearing the all-time history, cache, etc.
  • I ran CCleaner to do a full cache clean on my machine.
  • I installed another anti-virus program and ran a full, deep scan just if my anti-malware program missed anything.
  • I started to changed passwords to my sensitive accounts.
  • I revisited my browser extension preferences, which I will discuss in further detail.

From what I can tell, there is no breach. I hope it stays that way.

I did the following to improve my browser extensions:

  • I updated all the remaining extensions by visiting Manage Extensions, enabling Developer Mode, and performing an Update.
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
  • I checked the extension permissions and realized I was giving the “keys of the kingdom” to all my extensions, so I put that to an end.
Image for post
Image for post
  • I visited each of the extension preferences, navigated to This Can Read and Change Site Data, and set the permission to When You Click the Extension. I implemented this setting to all extensions except those meant to “protect” me, such as the Malwarebytes Browser Guard extension. Note: The screen capture below shows the restricted setting for illustration purposes.
Image for post
Image for post

Now, when I want to use an extension, I need to activate it.

Image for post
Image for post
The extension is currently disabled.
Image for post
Image for post

It is somewhat of an inconvenience. Yet, I still benefit from the extension only when I want to use it instead of when the extension wants to do something.

Decide whether it makes sense to install a browser extension, whether you can trust it, and how much of your data you are willing to give away.

Consider implementing the extension settings I showed above, and visit sensitive web sites (e.g., banking sites) using Incognito Mode.

A Note from the Author

Join my mailing list to receive updates about my writing.

Visit miguelacallesmba.com/subscribe and sign up.

Stay secure,
Miguel

Miguel is a Principal Security Engineer and is the author of the “Serverless Security “ book. He has worked on multiple serverless projects as a developer and security engineer, contributed to open-source serverless projects, and worked on large military systems in various engineering roles.

Nerd For Tech

From Confusion to Clarification

Miguel A. Calles MBA

Written by

Miguel is the author of the “Serverless Security” book, and a cybersecurity engineer.

Nerd For Tech

We are tech nerds because we believe in reinventing the world with the power of Technology. Our articles talk about some of the most disruptive ideas, technology, and innovation.

Miguel A. Calles MBA

Written by

Miguel is the author of the “Serverless Security” book, and a cybersecurity engineer.

Nerd For Tech

We are tech nerds because we believe in reinventing the world with the power of Technology. Our articles talk about some of the most disruptive ideas, technology, and innovation.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store