Browser security extensions are not really trying to protect against malicious extensions and they wouldn't be able to because by design they run with the same privileges as those extensions, Balazs said.
Balazs also tested Internet security suites from five top antivirus vendors that he declined to name. The level of protection they offered against malicious browser extensions varied from none to good.
One of the tested products detected and removed the researcher's malicious Firefox extension, but he was able to bypass the detection signature by adding a single space character at a specific location in the extension's code.
A product from a different vendor came with a "safe browser" feature that involved creating a clean Firefox profile with no extensions installed. However, once it had created the profile, it kept using the same one, which meant that a malicious extension installed in the user's regular browser profile could copy itself to the "safe browser" profile, Balazs said.
Balazs said a third vendor, asked in a forum if its product detects or blocks Firefox keylogging extension Xenotix KeylogX, replied there was no need because "browser add-ons are subject to the same sandbox the browser runs through." The vendor recommended that users remove any suspicious extensions themselves, he said.
For Balazs, the answer highlights the poor understanding some vendors have of this type of threat, because Firefox doesn't have a sandbox and malicious browser extensions can be installed silently by malware without users ever knowing.
Some other "safe browser" implementations, such as Avast's SafeZone and Bitdefender's Safepay, did block the installation of malicious extensions. These offerings are designed to give users a way to bank and shop securely online using a custom browser based on Chromium, the open source project behind Google Chrome, within a secure environment similar to a sandbox.
Even though Balazs didn't find a way to install malicious extensions directly into the Avast SafeZone or Bitdefender Safepay browsers, he claims to have found a weakness that could allow an attacker to spy on traffic, even when users access HTTPS websites and their connection is encrypted.
If the victim's primary browser is Firefox, the attacker could first use social engineering to trick the victim into installing a malicious extension. He could then use that extension to download and execute a piece of malware designed to change the system-wide Internet proxy settings and to install a rogue root CA certificate into the Windows certificate store.
Chromium, along with Internet Explorer, uses the system-wide proxy settings and certificate store, so an attacker could exploit this to pass all traffic from the Avast SafeZone or Bitdefender Safepay browsers though a proxy server he controls and perform man-in-the-middle interception using the new root CA certificate added to the system.
This attack would also bypass Chromium's public-key pinning protection, which is supposed to detect whether the public keys used for the certificates of some popular websites such as Gmail or Paypal have been changed by a man-in-the-middle attacker, Balazs said.
The user will not receive any certificate warnings inside the browser because Chromium allows user-installed root CAs to override pins, a design decision explained by Google software engineer Adam Langley in a May 2011 blog post.
Windows does show a security prompt when a new CA certificate is added to the certificate store, but the malware is able to automatically confirm the action, so the user doesn't have to click anything.