Senator asks DHS if foreign-controlled browser extensions threaten the US

A US senator is calling on the Department of Homeland Security’s cybersecurity arm to assess the threat posed by browser extensions made in countries known to conduct espionage against the US.

“I am concerned that the use by millions of Americans of foreign-controlled browser extensions could threaten US national security,” Senator Ron Wyden, a Democrat from Oregon, wrote in a letter to Christopher Krebs, director of the DHS’ Cybersecurity and Infrastructure Security Agency. “I am concerned that these browser extensions could enable foreign governments to conduct surveillance of Americans.”

Also known as plugins and add-ons, extensions give browsers functionality not otherwise available. Ad blockers, language translators, HTTPS enforcers, grammar checkers, and cursor enhancers are just a few examples of legitimate extensions that can be downloaded either from browser-operated repositories or third-party websites.

Unfortunately, there’s a darker side to extensions. Their pervasiveness and their opaqueness make them a perfect vessel for stashing software that logs sites users visit, steals passwords they enter, and acts as a backdoor that funnels data between users and attacker-controlled servers.

Extensions: A short, sordid history

One of the more extreme examples of this type of malice came last year when Chrome and Firefox extensions were caught logging the browsing history of more than 4 million users and selling it online. People often think that long, complicated Web URLs prevent outsiders from being able to access medical or accounting data, but the systematic collection, dubbed DataSpii, proved the assumption wrong.

Among the sensitive data siphoned by the extensions was proprietary information from Apple, Symantec, FireEye, Palo Alto Networks, Trend Micro, Tesla, and Blue Origin. The Dataspii extensions also collected private medical, financial, and social data belonging to individuals. The collection only came to light thanks to the dogged and costly work of an independent researcher.

Other examples of abusive extensions can be found here, here, here, and here.

Wyden’s letter mentions the case of an extension provider that’s from China, a country critics say pays hackers and others to steal source code, blueprints, and other proprietary data from its foreign adversaries. The senator wrote:

For example, my office has been investigating Genimous Technology, a Chinese company that, through a series of shell companies in offshore jurisdictions like Cyprus and Cayman Islands, controls a network of web browser extensions used by more than 10 million consumers. Genimous’ subsidiaries offer dozens of browser extensions, which provide users with some limited, free functionality, such as weather reports or package tracking, in order to gain access to users’ computers. The true purpose of Genimous’ browser extensions is to change users’ search engine to one offered by Verizon Media, which pays Genimous a fee for doing so.

I am concerned that the use by millions of Americans of foreign-controlled browser extensions could threaten US national security. In particular, I am concerned that these browser extensions could enable foreign governments to conduct surveillance of Americans.

Neither Genimous nor Verizon immediately responded to a request to comment for this post.

State-hired hackers

There are at least two reported cases of foreign governments using extensions in espionage hacks. The more advanced attack came to light in 2017. It involved Firefox extensions used by Turla, a Russian-speaking hacking group that many researchers believe works on behalf of the Kremlin.

One such extension analyzed by security firm Eset masqueraded as a security feature available from the website of a fictitious security company. Behind the scenes, it acted as a backdoor that connected infected computers to a Turla command and control server that retrieved stolen data and could upload and install new or updated malware.

To cover its tracks, the extension didn’t call the server directly. Rather, it connected to the comment section of Britney Spears’ Instagram account. By computing a hash from a comment and using a programming technique known as a regular expression, the backdoor was able to derive the server address. Researchers from Bitdefender stumbled upon the same Turla campaign that used other Firefox extensions.

A separate state-sponsored hack involving extensions occurred in 2018. It used Chrome extensions, available in Google’s official Chrome Web Store, that security firm Net Scout believes stole data such as browser cookies and/or passwords. To give the extensions an air of authenticity, the hackers copied reviews left for other extensions that either praised or criticized them.

Getting answers

Over the years, Wyden has pressed both government officials and business leaders on a host of topics relating to technology. Last year, he and Senator Marco Rubio, Republican of Florida, called on CISA’s Krebs to investigate VPNs, which like extensions, have the ability to covertly collect sensitive information and do other nefarious things.

“To that end, I ask you to assess the threat posed by web browser extensions offered and controlled by companies in adversary nations,” Wyden wrote. “If you determine that these companies and their products threaten US national security, please take the appropriate steps to protect US government employees and government systems.”

Post updated to change "nation" to "state" in certain usages.