Malicious websites can exploit browser extension APIs to execute code inside the browser and steal sensitive information such as bookmarks, browsing history, and even user cookies.
The latter, an attacker can use to hijack a user's active login sessions and access sensitive accounts, such as email inboxes, social media profiles, or work-related accounts.
Furthermore, the same extension APIs can also be abused to trigger the download of malicious files and store them on the user device, and store and retrieve data in an extension's permanent storage, data that can later be used to track users across the web.
These types of attacks are not theoretical but have been proven in an academic paper published this month by Dolière Francis Somé, a researcher with the Université Côte d'Azur and with INRIA, a French researcher institute.
Somé created a tool and tested over 78,000 Chrome, Firefox, and Opera extensions. Through his efforts, he was able to identify 197 extensions that exposed internal extension API communication interfaces to web applications, allowing malicious websites a direct avenue to the data stored inside a user's browser, data that under normal circumstances only the extension's own code could have reached (when the proper permissions were obtained).
The French researcher says he was surprised by the results, as only 15 (7.61%) of the 197 extensions were developer tools, a category of extensions that usually have full control of what happens in a browser, and would have been the ones that he expected were easier to exploit.
Around 55 percent of all the vulnerable extensions had fewer than 1,000 installs, but over 15 percent had over 10,000.
Somé said he notified the browser vendors about his findings before going public