Browser Extension Sniffers – How Do Bad Actors Use Them?

Finjan TeamBlog, Cybersecurity

Finjan Browser Extension Sniffers   How Do Bad Actors Use Them?

Web browser extensions are those little applets you can add to your Firefox, Chrome, Edge/Internet Explorer or other desktop, to increase the functionality of the main program, and spice up your online experience in any number of ways.

For the desktop browser environment, extensions are pretty much the equivalent to mobile apps. In fact, many of them also come in a mobile flavor that’s suitable for tablets and smartphones.

If there’s a tool or function you can think of, there’s probably an extension for it: Ad blockers, dictionaries, translators, notepads, video streamers, imaging tools… the list goes on.

So, something for everyone. Unfortunately, this also includes hackers.

Web Browser Extensions for Hackers

In this article, we’ll be looking at the ecosystem which already exists, of browser extension sniffers that try to extract useful information from online browsing sessions, web users, and the sites that they visit – either to exploit directly or in combination with related tools and techniques.

Early Days with Firesheep

What you might call the mainstream use of browser extensions for hacking purposes really got under way in 2010, with the release of Firesheep, an extension for the Firefox web browser. It was created by Seattle-based software developer Eric Butler, and built to target 26 online services of the time, including current favorites like Amazon, Facebook, Google, The New York Times, Twitter, WordPress and Yahoo!

Firesheep was intended by Butler as a tool for highlighting the security risks associated with session hijacking, or “sidejacking” – an attack which itself dates back to at least 2007, and involves in some way taking over (hijacking) the connection between a web browsing user and the site or service they’re connected to, usually over an unsecured wireless network.

The extension operates as a packet sniffer, analyzing all unencrypted data traffic on an unsecured Wi-Fi connection between a Wi-Fi router and any systems which are on the same network. Firesheep waits for people to log in to any of the 26 sites listed on its database (which can also be customized and extended), and snags session cookies transmitted from the site to a user’s web browser.

These cookies typically contain personally identifying information (PII) such as your user name or session ID, though not usually passwords. Even so, an intelligent hacker could use them to pose to the website or service as you, and enjoy a session of their own, accessing your account and being able to make posts, send emails, post comments, and so on.

Firesheep was an early incarnation of this breed of hacking tool, and had limited capabilities – not being able to readily extract passwords, among them. But the years since its release have seen the emergence of numerous other extensions with the potential for malicious use.

Browser Extension Sniffers – An Evolving Breed

Go to the extensions download site for any of the major web browsers, and you’ll find a selection of applets dedicated to packet sniffing and the extraction of behind-the-scenes information from web pages and online resources.

Notable extensions which have emerged since the days of Firesheep include:

  • Web Sniffer: A Chrome extension for viewing all HTTP requests and responses sent between the web browser and a web server. It’s capable of displaying information such as request IDs, types of requests, host names, URLs, and filters.
  • Library Sniffer: Another Chrome extension, this time set up for sniffing web frameworks and javascript libraries run on a remote website. Web APIs (Application Programming Interfaces) such as those used by Google Analytics and web servers like Apache, nginx, or PHP may also be sniffed.
  • OpenLink Structured Data Sniffer (OSDS): An extension for Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, and Vivaldi, which reveals structured metadata embedded within HTML documents and web pages.
  • Network Sniffer: An extension which enables the user to see in one place all the traffic from the network that they’re currently on.

Positive Uses for Extension Sniffers

Packet sniffing isn’t necessarily a bad thing. For network administrators and security professionals, tools like these browser extensions offer an additional way of gaining insight into traffic flows across a network, the way users are accessing and employing network resources, potential vulnerabilities or security loopholes, and other valuable data.

For example, the Network Sniffer extension described above is particularly helpful for software developers, who often need to see the URLs of new windows and pop-ups or background calls made to various processes. And the OpenLink Structured Data Sniffer (OSDS) can be a valuable tool in Search Engine Optimization (SEO) for marketing and analytical efforts.

But the potential for abuse of these extensions is very real. Sites offering reviews or access to such products often tread a fine line between Black and White Hats. There are even instances where extensions are described as tools to help users become professional hackers, in the interest of promoting cyber-security!

The Really Bad Stuff

So, how bad can it get? Well, as we’ve seen, using web browser extensions for sniffing to facilitate session hijacking enables hackers to potentially take over an unsuspecting user’s online account to insert their own content into social media feeds or email messaging streams. This can be used for distributing propaganda, phishing, and socially engineered messages to lure other users into a variety of traps, or even for distributing malware.

Much of this activity is made easier for the perpetrators because so many people still use unprotected mobile devices and laptops on unsecured wireless networks such as free public Wi-Fi hotspots. And these hotspots enable hackers to use other techniques and tools in conjunction with web browser extension sniffers, to extend their capabilities even further.

For example, setting up a bogus access point at a popular location (e.g., “Starbucks Wireless”) can easily pull in a bunch of unsuspecting victims who connect to what they believe to be a genuine hotspot, but which is actually more like a “point and kill” fish tank where the hacker can probe and sniff out information from these trapped users, at will.

The new breed of extension sniffers can even steal browser cookies which are protected by strong SSL/TLS (Secure Sockets Layer/Transport Layer Security) encryption. And the browser extension ecosystem has expanded to take in a variety of other tools that can assist hackers and fraudsters in their work. These include utilities for viewing and modifying HTTP/HTTPS headers and post parameters, analyzing and tweaking in real time the scripts running on a web page, and numerous other functions. There are extensive listings of these tools, freely available online.

Your Protection Strategy

Using public Wi-Fi and unsecured wireless networks puts you at the greatest risk from hackers using packet sniffers and other tools packaged as web browser extensions. So your first line of defense should be to use a Virtual Private Network (VPN) app or service, every time you connect.

VitalSecurityVPN from Finjan Mobile provides the unique combination of a fully-fledged VPN service and a fully-featured web browser, together in the one app. And the browser incorporates tools for scanning and reporting in real time on sites and services that are attempting to track your movements and activities.

To protect your browser, use the extensions ecosystem to your advantage, by installing a variant of HTTPS Everywhere. This forces your connection to use secure SSL/TLS encryption throughout your session, and on every website which supports these protocols.

And if you’re using a wireless router at home or in the office, be sure to set up a secure password for it. You should also ensure that your router uses the more secure WPA2 security standard if your hardware supports it.

Share this Post

Summary
Finjan Browser Extension Sniffers   How Do Bad Actors Use Them?
Article Name
Browser Extension Sniffers | How Do Bad Actors Use Them?
Description
In this article, we'll be looking at the ecosystem which already exists, of browser extension sniffers that try to extract useful information from online browsing sessions, web users, and the sites that they visit - either to exploit directly or in combination with related tools and techniques.
Author
Publisher Name
Finjan
Publisher Logo