With new attacks on browser extensions in the news within the last week, and that attack vector apparently becoming a more active target, are we better moving from the browser extensions to native Bitwarden apps?
Is there any significant functionality lost in making this change?
I wasn’t doubting you, I just wanted some links. I assume you are referring to this:
So this is about malicious extensions distributed in a supply chain attack. The questions that the article raises for me are:
What is Google actually doing while it’s reviewing new submissions to their web store? They take their sweet time approving updates to the Bitwarden extension, yet cannot catch actual malicious extensions before unleashing them on the public?
Should Bitwarden make it easier to disable automatic updates of browser extensions (e.g., prompt the user before downloading/installing an update)? Should the release notes on bitwarden.com and GitHub include hashes or signatures to allow users to verify the integrity and legitimacy of extension updates pushed by the app stores?
I don’t think this is a case of malicious extensions, but more of code injection or some other methods of compromising legitimate extensions. At least that’s how I read it.
It seems to me they phished the developers for authorizations to manipulate how the extensions are distributed on Chrome. Possibly, if the developers were careful with the phishing emails, or were familiar with how Google “revoked” the extension because of policy violation, they wouldn’t have fallen fore it.
Although there may be more exposed moving parts with how BW is being distributed on Chrome, what guarantee do we have that they wouldn’t attack how the desktop apps are being distributed?
I personally would feel that there are significant functionality loss. The logins wouldn’t be as convenient, and I would be less sure about protections against keyboard loggers, clipboard sniffers, and phishing attacks.
No, the developers were spearphished and tricked into giving the attackers access to their authentication credentials for the Chrome Web Store. This allowed the attackers to impersonate the developers and push a malicious version of the extension to the webstore, disguising it as a legitimate browser extension update. This was then downloaded by users (presumably via automatic updates), allowing a malicious payload to be installed on the users’ computers.
This is why I voiced a concern about the Chrome Web Store QA review team being asleep at the wheel, as they could/should have caught the malicious update before releasing it to users.
As I understand it, a series of developers had their credentials phished, enabling the bad actor to introduce a malicious release into the regular distribution channel. This has happenedbefore and has even been inadvertently self-inflicted. The risk is not unique to the browser stores, so I would not think that app vs extension would play a big part in any such risk-decision.
The term for these events is “supply chain attack”. The only real defense is to be slow to upgrade (which introduces its own risks), to follow the news regarding products you use, and to maintain backups so you have a clear path to revert.
You will lose autofill, which would be a significant security loss because you become susceptible to being phished by a look-alike web site. String matching can detect the difference between G00GLE and GOOGLE much more reliably than you or me.
It will be interesting to see if auto-fill could have prevented any of the recent 33 extension authors from disclosing their Chrome credentials to a malicious lookalike website.
And they managed to miss it some 30+ times (extensions).
Putting this into perspective, though, Mozilla FF review takes an upsetting long time to approve BW extensions, presumably having to do with the “Recommended” label vs. “We are not monitoring this extension” label. I remember there was one highly anticipated hotfix deployment that got completely botched, i.e. when available on the extension store, the extension didn’t even run, and the size of the botched update was significantly smaller than the usual ones.
As a consumer who’s happy go lucky, I feel warm and fuzzy about having the additional Mozilla team’s efforts in preventing bad updates. The label and the approval time have to mean something, right?
As someone who’s watching, I am not holding my breath. These guys might catch something, but something serious is bound to slip through. Make plan accordingly. If it’s not Bitwarden, it’s going to by my other extensions.