Malware in open-source web extensions

On February 4, millions of browser tabs were suddenly terminated. Not everyone was surprised; the dozen people who spent the last four months waiting for this tragedy to occur watched in relief as the first in a rapid stream of GitHub comments began pouring in. The Great Suspender, a Chrome extension that suspended inactive tabs, with around two-million users, had been forcibly uninstalled because it contained malware. This was a serious problem for users, in part due to the difficulty in recovering the lost tabs, but the extension's malevolence had been painfully obvious to anyone who cared to investigate it.

Who owns the code?

This extension was compromised not because some cunning cracker had gotten into the build infrastructure or thanks to a failure to escape certain metacharacters. Instead it was due to an open question in free and open-source software communities: Who owns the code? The entire point of an open-source license is to divorce us from being restricted to one group controlling everything about the code. Rather, the code is owned by the community around it, as opposed to any one individual. However, that is only true in theory when it comes to many types of software.

The reason this theory breaks down in practice is that the code doesn't magically move from one member of the community to another: somewhere, there needs to be a canonical place for patches and pull requests to be unified into releases. Such a location needs an owner: a person to operate the server, hold the GitHub accounts, sign the releases, and push them to distributors.

But what happens when the original creator decides to move on? In the case of Python, we can see that play out in real time. Many projects are not titanic behemoths with a dedicated foundation and complete governance system, however; instead, they may just have a single maintainer who manages the occasional patch from the community. Sites that host code for open-source projects (e.g. GitHub) do allow for having a core team of maintainers and a collection of other contributors, each able to continue to evolve the project on their own. But some distribution systems, such as the Chrome Web Store or the Apple App Store, effectively require a single person to be responsible for the code and every one of its releases.

Since the original creator has exclusive control over the account for the distribution channel (which is typically the user's only gateway to the program), it logically follows that they are responsible for transferring control to future maintainers, despite the fact that they may only have the copyright on a portion of the software. Additionally, as the distribution-channel account is the property of the project owner, they can sell that account and the accompanying maintainership. After all, while the code of the extension might be owned by its larger community, the distributing account certainly isn't.

Such is what occurred for The Great Suspender, which was a Chrome extension on the Web Store that suspends inactive tabs, halting their scripts and releasing most of the resources from memory. In June 2020, Dean Oemcke, the creator and longtime maintainer, decided to move on from the project. He transferred the GitHub repository and the Web Store rights, announcing the change in a GitHub issue that said nothing about the identity of the new maintainer. The announcement even made a concerning mention of a purchase, which raises the question of who would pay money for a free extension, and why.

Of course, as the vast majority of the users of The Great Suspender were not interested in its open-source nature, few of them noticed until October, when the new maintainer made a perfectly ordinary release on the Chrome Web Store. Well, perfectly ordinary except for the minor details that the release did not match the contents of the Git repository, was not tagged on GitHub, and lacked a changelog.

Had I not been bored, I never would have searched for a changelog, found the GitHub repository, and seen the allegations that the new maintainer had included a malicious script in the release. Worse, the only reason I knew about the release was due to the nature of the extension itself: virtually every other browser extension gives no notice of updates. Because The Great Suspender needs to seize control of a tab's process to suspend it, it has a fairly elaborate mechanism to warn about and conduct updates, which is a direct result of the problems that otherwise occur.

Investigating

What followed from that October discovery was a roller-coaster ride: only a few security amateurs had decided to take a look at the update and we had no idea what to do. The extension now seemed to be downloading and executing a JavaScript file from an unrelated third-party domain. That domain appeared to be Open Web Analytics, a perfectly legitimate alternative to the Google Analytics already used by the extension: crisis averted. Well, until we discovered that the domain was utterly unrelated and was actually delivering a script that would be linked to other malicious browser extensions. While the JavaScript of Chrome extensions is required to be distributed in unobfuscated form, remote scripts are (clearly) not verified. Since discovering the function of a minified JavaScript file is a difficult task, and the actual script served could have varied, the exact details of what the extension did remain unclear.

While some suspect that the remote script was committing advertising fraud by rewriting referral headers, those suspicions are based on analysis of other malicious extensions that use the same analytics ID as the loaded script. Shortly before the update, the new owner made some minor changes in order to justify the addition of request-intercepting permissions. Thus, it is feared that the remote script was harvesting the logins from HTTP forms, as well as authentication cookies. Unfortunately, confirming those suspicions is difficult: the server serves an innocent version of Open Web Analytics to direct requests (i.e. those sent by directly visiting the page), and likely performed multiple levels of verification to make the true version hard to capture. Since Google has removed the extension as malware, the malicious version of the JavaScript code has likely stopped being served altogether. The investigators, having proven that the extension was not running Open Web Analytics despite the clear efforts to masquerade as such, simply concluded that it was malicious and moved on.

That release, which granted the power to inspect and modify all the HTTP(S) requests of over a million browsers to a malicious domain, happened in October 2020. A follow-up release, which removed the malicious code, was published after a month, but it appears that the original version had disabled auto-updating, since most existing installations kept the malicious version until it was forcibly removed. Four months passed before that time, during which the extension's entire user base wasn't just vulnerable, but was effectively already hacked.

This shows another problem: how the extension's malware nature faded from sight. The progression of experiences for each user who discovered the malevolent behavior was clear: following a brief period of outrage, possibly paired with a report to Google, the user would uninstall the Web Store version and sideload a safe version from source (which is the only way to prevent Chrome from automatically updating to the compromised version). As a result, they would move on from the discussion, resulting in long periods of silence where all involved parties decided that, since they were now safe from the malware, it was no longer their problem. Meanwhile, new GitHub issues continued to be opened, driving the dire warnings of immediate security compromise further and further away from even a suspicious investigator. Spikes in activity were few and far between: following a month of silence, a few Twitter accounts raised the issue in early January, leading to some reporting of the malware, but more weeks of silence would pass before Google's eventual ban.

Other examples

The Great Suspender had been compromised before, as have numerous other extensions. The ability to inspect the complete browsing activity of millions of users is worth a fortune, even if the attacker makes no effort to actually compromise any of their accounts. This makes web extensions an excellent target for the enterprising attacker. An eerily similar case is that of the paired extensions Nano Adblocker and Nano Defender, which were forked from uBlock Origin.

UBlock Origin is a widely-distributed, open-source ad-blocking extension intended to be fast, lightweight, and reasonably user-friendly, while still offering advanced filtering capabilities. UBlock Origin was itself forked from the original uBlock by its original creator, Raymond Hill, after (you guessed it) he transferred ownership of uBlock to a new, untrustworthy maintainer, Chris Aljoudi. In addition to creating a website solely to solicit donations, Aljoudi began reducing blocking features, eventually choosing to permit certain ads via the "acceptable ads" program. This effectively meant that large ad providers could easily pay to have their ads not be blocked: in short, the original uBlock joined the long list of ad-blockers that do the exact opposite.

As a result, Hill created a fork, now called uBlock Origin, which reverted the changes. When Hugo Xu later created Nano Adblocker, it was based on uBlock Origin, adding additional functionality to let users submit reports of unblocked ads for later review and fixes. Xu also created an extension to protect against websites that try to block users of uBlock-based ad-blockers, called Nano Defender. However, the massive strain of needing to triage the ever-changing web sites that were working to get through the filters led Xu to sell both extensions to an undisclosed group of Turkish developers. Nano Defender and its 200,000+ users, upon their recent acquisition, immediately began having their personal data mined.

These two examples are only part of a larger problem with browser extensions, even those that are open source. These extensions are available for free, subject to minimal review, and are easily published in the same locations as legitimate extensions. As a result, browser extensions with explicitly malicious practices appear all the time and are one of the most popular methods of modern malware delivery.

It is often quite simple to convince an inexperienced user that this extension will improve their searching experience, or that one will block malicious domains. The developer then buries some code in the extension that turns the user's computer into an ad-viewing, money-making machine. Furthermore, since there is only minimal communication with users after they install, the acquisition of login credentials can turn even a existing, open-source extension with an established basis of trust into a security risk. The fact that the Chrome Web Store requires unobfuscated JavaScript in the extension is of little assistance when extensions can simply load a payload from what seems to be an innocent analytics provider, or even just rely on the rarity of JavaScript developers willing to install and examine large numbers of extensions to check for malware.

While both Nano Defender and The Great Suspender have been removed from the Web Store, and users have changed their work habits or moved to other extensions (uBlock Origin and The Marvellous Suspender, respectively), the underlying issues remain. Chrome's extensions platform has a long history of being understaffed, and moves slowly. This is reflected in the four months it took for Google to remove The Great Suspender, including a full month after news outlets reported on the problems. To prevent these issues from occurring again in the future, Google has been pushing a "Manifest V3", which (among other, more controversial requirements) bans the practice of executing any JavaScript loaded from a remote server. While this wouldn't block the Nano Defender attack, it would prevent the levels of indirection that were employed by The Great Suspender, which would make it much easier to identify and remove the malware. Other questions raised by this issue are the inability for extension authors to communicate with their users and the risks of automatically updating extensions for all users. While automatic updates are a useful feature, there are also some concerns with them, as these incidents have shown.