Pinterest Browser Extension Injects Unwanted Code into 5K Websites

A Pinterest browser button leaks malformed code into any browser-based text editor.

A buggy Mozilla Firefox browser extension for sharing links to Pinterest has automatically injected malformed code into at least 5,000 websites.

The code injection in this instance was not malicious, but researchers at Sucuri, which discovered and reported the problem on Tuesday, said the incident underscores how pervasive a threat vector browser extensions can be if used by bad actors.

The unnamed browser extension (installed by a user on Firefox) is designed to serve up a Pinterest sharing icon and function on any website a user visits to make sharing the site to Pinterest a snap. But, researchers said, because the extension was poorly developed, it also  unintentionally adds a buggy piece of code to any text-based content created within the impacted browser – including posts, emails and chats.

In all, Sucuri said it found malformed code tied to the Firefox browser extension on 5,000 websites where users either managed text-based content or contributed it.

“In the past there have been countless examples of malicious browser extensions that steal login credentials, include some trojan, snooped on whatever the person visited or just created a clone of a legitimate extension and added their malicious part to it,” said Cesar Anjos, security analyst at Sucuri, in an interview with Threatpost.

Extensions are popular tools for malicious actors. Last year, a popular free optical character recognition (OCR) extension for web browsers called Copyfish was hijacked by attackers who used it to spew spam and unwanted ads.

“The hardest point is to get the person to install such extension. In this specific [incident], it was a Pinterest extension, so the interest to install it was already there due to its popularity,” Anjos said.

Following the Breadcrumbs

Sucuri researchers recently came across several completely different websites containing what appeared to be a base64-encoded image – only it wasn’t rendering the image on the site. The string of code was only present from a source-code view.

Analysis showed that the same piece of code was turning up on several websites using a variety of plugins and themes, many of them hosted on different servers. Further, it was clear that the website owners had not added the code themselves, Sucuri said.

After some digging, researchers found that the sites had one thing in common: They all had the same webmaster. And the webmaster, via a buggy browser extension he had installed, unknowingly injected the code snippet onto any WordPress page he or she edited.

Injection of Useless Script

The code injection in this case is a malformed image script — and it appears to be due to development error rather than malicious activity.

“There are a variety of approaches to displaying images on websites,” explained Anjos, in the blog on the issue. “The most common method is to upload the file to the server and use an <img> tag pointing to it. This tag is pretty versatile. In addition to accepting image files hosted on the same server, it accepts remote files. And believe it or not, the entire image encoded as a base64 string.”

That means that if the string of code representing an image is placed in a browser URL bar, that image will show up in the browser. It’s a way of fetching remote images.

Using this base64-encoded image file approach is fairly common, because it helps pages load faster. “This optimization technique stores images in the page source, which the browser directly interprets,” explained Anjos. “This avoids the request and transfer of additional files from the server to the client.”

In the case of the Pinterest icon, the snippet of code in question is injected with the intent of rendering the image, but fails in its effort and as such, is not visible to site visitors.

“This is most likely due to the fact that the entire string is in lowercase, a problem when we are talking about base64, which is case-sensitive,” Anjos explained.

Ramifications

“All it takes is for the extension developers to make a mistake that allows code to leak onto the browser,” Anjos told Threatpost. “In this case, the extension was a simple Pinterest icon being added to the browser to save links on Pinterest. Due to a bug, the browser button leaked into any browser-based text editor (in this case, the post editor of WordPress).”

The extension essentially causes code to inject into whatever content is written – a perfect vehicle for malware.

“Imagine the severity of this injection if you are browsing your bank’s website, sending an important email or submitting your personal information on a purchase page? What if it opens a vulnerability on your website?” Anjos said. He added, “The key takeaway is to be mindful of what extensions we use on our browsers as they can directly interact with what is presented to us, especially when we are handling sensitive data or areas.”

“It’s hard to assess how common these kinds of bugs are within extensions, but seeing as it can leak to text input fields, you can imagine how severe it can become if there were nefarious purposes,” he told Threatpost.

Suggested articles