Back to LinkedIn posts

LinkedIn post 162

⚠️ About 7 months ago I've posted about Cyberhaven, a cybersecurity company that re...

⚠️ About 7 months ago I've posted about Cyberhaven, a cybersecurity company that released a Chrome extension to prevent sensitive data from leaking. Then they were hacked and a malicious version of their extension was uploaded to the Chrome Web Store and almost 400,000 users browsers were infected. Upon investigation, other 16 browser extensions were found with that same malicious code.

More recent attacks have been targeting Salesforce data and someday those bad actors will use browser extensions (and VS Code extensions too).

We should learn how to guard against that as much as possible.
Here are a few recommendations (not exhaustive).

Before installing an extension:
👉 don't just trust the Chrome Web Store or the Visual Studio Marketplace
👉 don't just check the permissions on the manifest file
👉 check that it is open-source, that it has a repository
👉 check that the code is not obfuscated (code is legible, commented)
👉 get to that code and try to understand it
👉 or submit it to an AI to help you understand it, ask it to look for malicious, obfuscated code
👉 you can use https://gitingest.com/ with the repo URL to get a text digest of the codebase and paste it to an LLM
👉 there are services such as https://crxcavator.io/ and https://chrome-stats.com/ that check and report extensions

If you're manually scanning the code, these might be considered suspicious:
⛔ network calls such as fetch, XMLHttpRequest, chrome.runtime.sendMessage, chrome.storage.sync (*)
⛔ dynamic script loading such as eval, Function, setTimeout with strings
⛔ encoding strings in Base64 or hexadecimal (obfuscation of possible hidden payloads)
⛔ string splitting/joining patterns used to hide URLs
⛔ requests to 3rd party servers unrelated to the extension's stated function
⛔ code that modifies form inputs or listens to keyboard events without a clear purpose
⛔ code that access cookies, tokens, or local storage (*)

You can also install and run the extension in a controlled environment (VM or throwaway profile), then:
🎯 use Chrome DevTools → Network tab to monitor outbound requests
🎯 look for POST/GET to unknown domains
🎯 check if it sends page content or authentication tokens
🎯 you can also proxy traffic with mitmproxy or Burp Suite (PortSwigger)
🎯 use chrome://extensions-internals to inspect the extensions you have installed

(*) as far as I know, all browser extensions for Salesforce have to retrieve session id/tokens from cookies - unless the extension requires a Connected App set up in advance - and the browser extensions usually call Salesforce's APIs using that session id.