Chrome, Firefox Extensions Block their Own Removal to Hijack Browsers

Google Chrome Extension Steals

Security researchers have discovered malicious Chrome and Firefox extensiosn that block their own removal and, in effect, proceed to hijack a victim’s browser, in effect making them even more difficult than before to remove.

These extensions, found in two of the most popular browsers in Chrome and Firefox, block users from removing them by keeping them from pages that detail the extensions or add-ons (in the case of Firefox), or by sending users to a different page where the extensions aren’t listed. Instead, the malicious extensions redirect users to drive clicks on YouTube videos for increasing revenues or hijack searches elsewhere.

As researchers from MalwareBytes reveal, this particular hijack is easy to circumvent on Firefox but is a lot harder on Chrome. For Firefox, a user will only need to run the browser in safe mode and manually delete the malicious extension. Opening Firefox on safe mode is simple enough – holding the Shift key while starting the browser before confirming the prompt that reads “Start in Safe Mode.”

However, in Chrome, the extension forcibly keeps users out of the browser’s extension list by redirecting to a separate URL where the malicious extension isn’t listed.

“The clean method to disable extensions from redirecting your Chrome tabs is to start Chrome with disabled extensions,” researchers wrote in the report. “You can do this by adding the switch “–disable-extensions” to the command to run Chrome.”

However, this method does not allow users to remove the malicious extension, since Chrome will start without any extensions altogether. Further, any measure of blocking JavaScript in Chrome will also prove ineffective as the setting does not apply to internal pages and only extends to websites.

Instead, renaming the .js file does help as, after a restart of the browser, the extension shows up ‘corrupted’ due to the rename. At this point, the user will have the means to delete/remove the extension altogether.

“[F]or Chrome it takes a lot of digging—so much so that we suggest the fastest way to resolve the problem is to report it to Chrome or your favorite security solution so they (we) can take care of it.,” researchers added.

Image credit: Pixabay