It's time to rethink your browser extensions.

According to researchers at Boston's Northeastern University, nine of the 10 most popular Firefox extensions open the door to security intrusions and malware.

In dubious good news for advertisers and publishers, only Adblock Plus — which lets users "block all annoying ads all over the web" — was impervious to the attacks.

1,000s of Vulnerabilities

But the risks extend far beyond the top 10, noted researchers Ahmet Salih Buyukkayhan, Kaan Onarlioglu, William Robertson and Engin Kirda.

As a result of their increasing popularity, attackers are increasingly targeting browser extensions, researchers explained.

In fact, they found more than 2,000 Firefox extensions for Windows and OS X computers were vulnerable, including Firebug, Greasemonkey, Web of Trust, NoScript Security Suite, Video DownloadHelper, DownThemAll!, Flash Video Downloader, FlashGot Mass Downloader and Download YouTube Videos as MP4.

Why should you worry? Extensions can often access private browsing information such as cookies, history and password stores, and also systemwide resources.

"Malicious extensions or attacks directed at legitimate extensions pose a significant security risk to users," the researchers noted.

Exploiting Flaws

To be clear, browser extensions themselves are not malware. Nor do they contain malware. The problem is that they have security flaws — extension-reuse vulnerabilities — that malware can exploit.

"Extension-reuse vulnerabilities are real, practical, and are present in large numbers in popular extensions downloaded by millions of users," they wrote.

"These vulnerabilities allow a seemingly innocuous extension to reuse security-critical functionality provided by other legitimate, benign extensions to stealthily launch confused deputystyle attacks. Malicious extensions that utilize this technique would be significantly more difficult to detect by current static or dynamic analysis techniques, or extension vetting procedures."

Learning Opportunities

In published statements, Nick Nguyen, VP of Product for Mozilla Firefox, conceded that the researchers are correct and that the way add-ons are implemented in Firefox today opens the door to attacks. However, he also noted that Firefox is evolving its core product and its extensions platform to build in greater security.

Later this year, Firefox will start to sandbox its extensions so that they cannot share code, he added.

The researchers acknowledged that last August, Mozilla announced major changes to Firefox extensions, including the implementation of a new add-on API called WebExtensions. "Although details and security implications of these changes were not clear at the time of writing, we expect that a systematic security analysis of WebExtensions would be a promising future research direction," they added.

What Did You Expect?

"No security professional should be surprised that attackers have taken advantage of browser extensions and plugins for malicious purposes,” said Tim Erlin, director of IT Security and Risk Strategy for Portland, Ore.-based Tripwire.

Erlin noted that extensions are the apps of the browser ecosystem, and added, "Ensuring that the extensions marketplace is free from malware is key to the viability of the browser ecosystem.

He continued, "Anytime you let third-parties contribute code to your product, you’re increasing the risk that malicious code can be introduced. A system of third-party developed extensions, plugins or apps in a product with a large user base creates a golden opportunity for attackers."

For now, Firefox users may want to give some serious thought to using extensions and remove all but the most essential ones. You can find detailed instructions for removing Firefox add-ons here.

Title image "ordered" (CC BY 2.0) by jared