A Bitdefender spokesman said Wednesday that "Safepay is designed as an additional layer of security to protect sensitive activities such as online banking or shopping. Although it has strong self protect mechanisms, Safepay is not a replacement for an AV [antivirus] product nor is promoted as such."
The product performs a security assessment to identify active malware on the computer before the secure browsing session is initiated, but if malware previously infiltrated the system and installed a rogue root certificate there is a chance that the session could be compromised, the spokesman said. "Nevertheless, this scenario is plausible when users don't have an antivirus product installed."
"We have an ongoing project that aims to discover Safepay's vulnerabilities in different scenarios (system or third-party related) and develop solutions to minimize the risks of compromised user sessions," he said. "The assessment of installed certificates on the system is at the top of our list."
Avast did not immediately provide a statement regarding this attack method.
Some security products recommended by banks to their customers and designed to prevent malware-related financial fraud were also found to lack protection against malicious browser extensions. Balazs tested six such products from different vendors, but only one blocked browser extensions in his tests.
Since then, a few more have added protection for this type of threat, but they use different approaches, he said. Some block all extensions while others detect only malicious ones, he said.
Balazs also tested Sandboxie, a program designed to isolate applications from the operating system by running them inside a sandboxed environment and preventing them from making permanent changes to other programs or data on the computer.
The product's website says that "running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded trivially."
However, that only stops a rogue browser extension within Sandboxie from writing to local storage outside the sandbox. It can still log keystrokes and store them within the sandbox, capture images with the computer's webcam, or steal passwords and authentication cookies stored in the browser, the researcher said.
In general, malicious Firefox extensions can modify the settings of other extensions or the browser itself, but they can also indirectly modify the source files of installed extensions by downloading and executing a piece of malware designed to do this when the browser is closed, Balazs said. (The source files are locked while the browser is running.)
During a presentation Saturday at the Hacker Halted USA 2013 security conference, Balazs demonstrated how malware can insert backdoors into legitimate extensions and the effects this can have on the user's security. For his demonstration he backdoored the LastPass extension for Firefox.
LastPass is a password management service that uses a browser extension to automate form filling and website authentication. This allows users to have strong, separate passwords for all online services they use, while remembering only one master password that unlocks their encrypted password vault.
For increased security, LastPass supports two-factor authentication using the master password and one-time codes generated by physical YubiKey USB authentication devices or mobile applications such as Google Authenticator, Toopher and Duo Security.
LastPass claims on its website that it protects users against phishing scams, online fraud, and malware -- in particular key loggers. However, according to Balazs, the extension can't protect users against malware like financial Trojan programs that hook into the browser process, against other malicious browser extensions, or against local modifications of its own code.
Balazs' demonstration at Hacker Halted showed how a piece of malware could modify the code of the LastPass extension installed in Firefox so that it sends the user's master password and a YubiKey authentication code to an attacker, who could then use the information to access the user's password vault.
He released his proof-of-concept code for backdooring the LastPass extension on GitHub and said that developing it only took two hours.
Most of Balazs' recent research focused on Firefox because it's easier to trick users into installing malicious extensions in this browser by using social engineering. Unlike Firefox, Chrome only allows the installation of extensions from the official Chrome Web Store repository and not from third-party websites, which makes it harder for attackers to distribute malicious extensions.