A TALE OF BETRAYAL: MALICIOUS BROWSER EXTENSIONS IN THE CONTEXT OF CYBER SECURITY AND PRIVACY

Authors: Giulia Melotti Garibaldi
Affiliation: Cyber Security Consultant Master’s degree in Law, University of Milano- Bicocca, Italy

Category:

Keywords: cyber; security; browser extensions; protection; privacy.
ABSTRACT. Browser extensions are popular additions to web browsers meant to enhance the online user experience by providing customizable options to meet the individual needs of users. In the wide variety of extensions available on the market, spanning from ad blockers to password managers, some of these software modules have proven to be a double-edged sword. As a matter of fact, in the past few years we have witnessed an alarming increase of malicious extensions available for download, targeting unaware victims relying on their apparent functional nature while hiding a world of illicit data thefts and sharing practices to the consumers’ detriment. In order to examine whether the trade-off of privacy for functionality might still be an ongoing issue, this article follows two different approaches where theory and practice go hand in hand. The first one consists of a technical state-of-the-art analysis of different browser extensions available for download on the Chrome Web Store, while the second comprises a study of the questionable risks posed by those technologies from a privacy perspective. With regards to the latter, the author acknowledges the worldwide reach of browser extensions, while understanding the existence of a vast regulatory landscape around the globe. For the purpose of this paper, the analysis solely focuses on the European privacy framework, consisting of the General Data Protection Regulation (hereafter referred to as the GDPR) and the Directive on Privacy and Electronic Communications (the ePrivacy Directive). The conclusion drawn is that, despite all the efforts to counteract malicious browser extensions, some of them are still perpetrating harm and breaching privacy principles in a way which might not seem evident to users.

References:

1. Article 29 Working Party on Device Fingerprinting. 2014. Article 29 Data Protection Working Party. “Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting”. WP 224. https://www.dataprotection.ro/servlet/ViewDocument?id=1089
2. Chrome Developers. “Publish your extension”. Accessed April 26, 2022. https://developer.chrome.com/docs/webstore/publish/
3. Chrome Developers. 2016, updated 2021. “Updated Privacy Policy & Secure Handling Requirements”. Accessed April 28, 2022. https://developer.chrome.com/docs/webstore/user_data/
4. Chrome.webRequest API. Accessed April 27, 2022 https://developer.chrome.com/docs/extensions/reference/webRequest/
5. Chrome Web Store. Accessed May 3, 2022. https://chrome.google.com/webstore/category/extensions
6. Court of Justice of the EU (CJEU). 2016. Breyer, Case C-582/14, at para. 49 https://curia.europa.eu/juris/document/document.jsf?text=&docid=184668&pageIndex=0&do clang=en&mode=req&dir=&occ=first&part=1&cid=40417
7. EU Directive on Privacy and Electronic Communications (ePrivacy Directive). 2002. “Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). OJ L 201. https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058
8. EU General Data Protection Regulation (GDPR). 2016. “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)”. OJ 2016 L 119/1. https://eur-lex.europa.eu/eli/reg/2016/679/oj
9. Eurostat. 2022. “How do EU citizens manage their personal data online?”. Accessed May 3, 2022. https://ec.europa.eu/eurostat/web/products-eurostat-news/-/edn-20220127-1
10. Georgescu, Elena. 2021. “Have You Ever Installed a Malicious Chrome Extension?”. Heimdal Security. Accessed April 25, 2022. https://heimdalsecurity.com/blog/malicious-chrome-extension/
11. Jadali, Sam. 2019. “DataSpii: The catastrophic data leak via browser extensions”. SecurityWithSam.com. Accessed April 27, 2022. https://securitywithsam.com/
12. Kariryaa, Ankit, Gianluca Savino, Carolin Stellmacher, Johannes Schöning. 2021. “Understanding Users’ Knowledge about the Privacy and Security of Browser Extensions”. Proceedings of the Seventeenth Symposium on Usable Privacy and Security (9-10 August 2021). Accessed April 26, 2022. https://www.researchgate.net/profile/Johannes- Schoening/publication/356892773_Understanding_Users%27_Knowledge_about_the_Privac y_and_Security_of_Browser_Extensions/links/61b1b4ec4d7ff64f05372925/Understanding- Users-Knowledge-about-the-Privacy-and-Security-of-Browser- Extensions.pdf?origin=publication_detail
13. Vailshery, Lionel Sujay. 2022. “Market share held by the leading internet browsers in Europe from 2009 to 2021”. Statista. Accessed May 3, 2022. https://www.statista.com/statistics/269881/market-share-held-by-internet-browsers-in-europe/