recommended reading

Google Chrome’s Little Helpers Are Offering Hackers a Backdoor to Hijack Your Web Browsing

Mark Lennihan/AP

Extensions are useful little programs written by independent developers to customize your browser experience, whether its by blocking advertisements,aggregating your newsfeed, or keeping you on task. But they may also offer a way for malicious coders to get past Google Chrome’s notoriously tight security to harness your online activity for personal profit, or perform other acts of  mayhem.

In December, Google’s developer community noticed that an extension called Window Minimizer was hijacking people’s searches to earn money for a third-party search engine. The extension—a productivity shortcut for other web developers—was written by someone calling himself Ionut Botizan, who had it reroute links from Google search to a third party search engine called Ecosia, allegedly to save the rainforest (Right…). Botizan’s little trick is an variation on clickjacking, which momentarily shunts web users to a third-party site to artificially boost traffic or generate ad revenue.

Extensions run alongside Chrome, not within it, so the security onus is supposed to be on developers, who have to abide by Google’s Developer Program Policies, and on users, who must agree to each extension’s Terms of Service. Ostensibly, this frees both Google and the developer from liability. But in practice it means that Google has to play catch-up to police the thousands of Chrome extensions that are available.

On its own, Botizan’s hack was mostly harmless. But it’s worrying how easily he was able to fool other developers, the very people who should know better. For those of us who may not be so well-informed, it’s sobering to think what a truly malicious extension could do.

Threatwatch Alert

Network intrusion / Spear-phishing

Researchers: Bank-Targeting Malware Sales Rise in Dark Web Markets

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download

When you download a report, your information may be shared with the underwriters of that document.