Browser extensions as growing security risk.

Speeduser7533

Interesting article though I'm not surprised at all:

https://thehackernews.com/2024/12/when-good-extensions-go-bad-takeaways.html?m=1

Which makes me glad that I moved from a cloud-based password manager to a file-based one. Of course I suppose that could still be vulnerable but at least my credentials aren't living on somebody else's servers.

rellhom

Speeduser7533

I feel like an algorithmic password technique that resides in my head is even better.

DeletedUser143

Speeduser7533 I always felt a doubt in password manager as an extension. Even if it is Bitwarden in Brave. Today they can steal your cookie session, and tomorrow there can be found a way to, don't know, switch your Bitwarden extention to malicious one and require you to relogin and finito, you F`d. That is why I use Bitwarden as a separate app on my Linux

zzz

Relevant post from the GOS account on mastodon:

Traditional [browser] extensions heavily compromise the per-site sandbox and place an enormous amount of trust in the authors. They're not only trusted to not be malicious or sell their extensions to spyware companies as many are doing but also to enforce the browser's privacy and security model correctly. Most traditional extensions fail to live up to this and inherently can't do it well through the way the process model works where 1 process runs for the whole extension for every site.

https://grapheneos.social/@GrapheneOS/113432780437598358

fid02

A cybersecurity company wasn't using phishing-resistant authentication? Ok…

fid02

fid02 A cybersecurity company wasn't using phishing-resistant authentication? Ok…

Appears that that might not have been relevant in this case. More information unveiled: https://arstechnica.com/security/2025/01/dozens-of-backdoored-chrome-extensions-discovered-on-2-6-million-devices/

A link in the email led to a Google consent screen requesting access permission for an OAuth application named Privacy Policy Extension. A Cyberhaven developer granted the permission and, in the process, unknowingly gave the attacker the ability to upload new versions of Cyberhaven’s Chrome extension to the Chrome Web Store. The attacker then used the permission to push out the malicious version 24.10.4.

xuid0

fid02 how many times has LastPass been breached in the past?
Note: The answer to my question is the amusing part it is not an attack on you.

Speeduser7533

DeletedUser143 Yeah that makes sense. Anytime I learn about some other attack vector becoming 'popular' I evaluate getting rid of it.

Currently I only have a few passkeys (<10) in my online password manager, and of those 90% are not what I'd consider **critical ** accounts. Certainly no credit cards etc. I keep some Passkeys there because that PW manager seems to do a better job of letting me create passkeys on some accounts than KeePassXC does currently.

I have not considered using the desktop app on Ubuntu, didn't know it exists, frankly. But I may consider it.

fid02

xuid0 how many times has LastPass been breached in the past?

This case appears to be interesting because, based on the information in the Arstechnica article I linked above, it does not appear that the attacker attempted to gain access through an MFA-bypass attack by intercepting the employee's Google account credentials and then stealing a session cookie. Rather it appears that they simply tricked the employee to approve a request to connect a malicious app to their Google account. Hence the cybersecurity company might have been using phishing-resistant MFA or passkeys, but it wouldn't really matter. It's interesting that the cybersecurity company didn't foresee this attack avenue and didn't lock down the ability for employees to connect apps to their Google accounts. (I assume that Google made the latter possible; if not, that is cause for concern).

Please note that my general knowledge of cybersecurity is limited.

xuid0

fid02 I guess its worth mentioning that there are several places one can sell access to ones workplace to a err bad threat actor to take over the account and do numerous bad things with the employees credentials. Vetting people in your org becomes super important lately for this reason.

missing-root

So it makes sense to only use trusted ones.

On Firefox and Chromium Desktop you can use policies to allow or preinstall addons, and block others.

xuid0

missing-root

Yes.

The only way one would be able to get around that in my limited knowledge of how app stores work. Is that if the malicious app was already on the said app store. Which unfortunately has happened to Google Play app store a couple of times in the past. But limiting to an app store or not allowing side loading still mitigates quite a lot of attacks.