"Browser extensions extend the functionality of the web browser. These extensions improve the appearance, functionality, security or other parts of the browser. Extensions were also developed with malicious intent, in order to generate revenue or just spread the code between more and more browsers. The possibility of a malicious browser extension is almost infinite, but we have not seen very powerful malicious extensions yet."
Security researcher Zoltan Balazs has developed a remote-controlled piece of malware that functions as a browser extension. The researcher plans to release the malware's source code on GitHub during a presentation at the Hacker Halted security conference in Miami next Tuesday
This Malwaretize Browser extensions is capable of modifying Web pages, downloading and executing files, hijacking accounts, bypassing two-factor authentication security features enforced by some websites, and much more.
Balazs is also expected to demonstrate how the proof-of-concept code might be used to bypass Google's two-step verification process. The demo extension in versions for Firefox , Chrome and Safari, a version for Internet Explorer would also be feasible. The Firefox version also works on Android, albeit with reduced opportunities.
"The Firefox version can also steal passwords from the browser's built-in password manager, download and execute files (only on Windows), modify the content of Web pages in the same way that banking Trojans modify online banking websites to hide rogue transaction records, take screen shots through the computer's webcam by accessing a Flash application hosted on a Web page, act as an HTTP proxy that allows an attacker to communicate with a server on the victim's internal network, and more."
Existing Malware of this nature will hardly been detected by antivirus programs. On the Firefox maker Mozilla is the recommendation to install new add-ons only from the official marketplace for extensions permit, as is already the case in Chrome.