Expanding the capabilities of your web browser through the use of plug-ins is something many of us do. It's simple and easy to browse the Chrome Web Store or Add-ons for Firefox pages and stock up on tons of free, useful, and novel extensions to increase productivity, add features, or simply change the browser aesthetic.
Recently, the Chrome Web Developer extension created by Chris Pederick was compromised, effecting over a million users. Pederick tweeted out a notice explaining that he had fallen victim to a phishing attack and accidentally handed over his Google account credentials. The attacker used this to modify the extension and push an update that infected everyone using it.
This is not the first time, or the last, that this sort of attack will happen. Many of these attacks are aimed at injecting ads into your browser, which generate revenue for the attacker. Malicious code could also be embedded in these ads, allowing for further infection to spread. Even worse, keyloggers and clipboard sniffers could be added to the extension, potentially compromising millions of users sensitive information.
There was only one person that needed to be compromised in order to effect millions, indicating that this security model is incredibly flawed.
What You Can Do
The first thing you should do is cut down on all unnecessary browser extensions.
On Chrome, go to chrome://extensions/ and review everything on this page. Click the trashcan icon to delete all extensions you don't recognize or use. Additionally, if you use incognito mode when accessing sensitive information websites, make sure that the appropriate extensions are able to run by checking the "Allow in incognito" option.
On Firefox, go to about:addons and select the "Extensions" tab on the left. Go through and prune out everything unknown or unnecessary.
If you had unknown extensions, you're going to want to think about how they got there. Do some google-fu and research the extension name, find out if it's legitimate and if it is automatically installed with any software you use. You want to understand why and how things went wrong when they do in order to prevent them in the future.
Panopticlick is a neat tool from the Electronic Frontier Foundation (EFF) that can tell you how well your browser protects you from common tracking methods. You will want to pass at least the first three tests, and ideally be protected from fingerprinting as well.
- Less is more - avoid all unnecessary browser extensions, they are a major risk
- AdBlock/uBlock - prevent ads from loading to decrease risk of accidentally clicking on one
- NoScript/ScriptSafe - stop background scripts from running without your consent
For cryptocurrency users
Leave a like or even resteem if you found this helpful. If you want to directly support my work, you can send ETH or ERC20 token donations to Tomshwom.eth. Find me on Reddit.