What are the three security issues with utilizing client-side plug-ins in a web application?

Client-side plug-ins are small code modules which fit into the browser and execute on the client machine. They come with following security risks-

  • Control over the client system

The plug-ins work by getting permissions over the browser and sessions. They can track network activity, store and access authentication cookies, monitor webpage content, access store passwords, control cache files, and more, depending on how they are coded. 1

  • Malicious code
    Most plug-ins are published on browser free markets (like the Chrome Extension store and Firefox plugin page) by independent developers working under pseudonyms. Neither Google nor Firefox has checked through the plugin code and they offer no guarantees for the authenticity of the plugin. A seemingly “helpful” plugin can quickly turn into adware or worse a virus which takes over the system.
  • Expose the client machine
    Letting the plugin install on the browser is akin to creating a direct unsecured bridge between the Internet and the client system. It is a security hole and a path of direct access for malware, rootkits, worms, and spyware.
    Also, many users fail to update their plug-ins, leaving the system vulnerable to exploits.

The following examples illustrate the risks of the client-side plug-ins-

  • ArsTechia published a study in 2014, on how “adware vendors buy Chrome Extensions to send ad- and malware-filled updates”2. The study highlighted how “safe” plugins were bought by adware vendors who then pushed out ads and tracking code when the plugin updated.
  • Java plugin “applets” were once part of every browser. But the numerous security risks they posed caused Google Chrome and Microsoft Internet Explorer (and Edge) to stop supporting Java plugins in 2015. Finally, in January 2016, the “much-abused”3 Java plugin was finally put to rest by its creator: Oracle.
  • In 2012, Hungarian security researcher released a proof-of-concept on GitHub which demonstrated how he could control, remotely, “a piece of malware that functions as a browser extension and is capable of modifying Web pages, downloading and executing files, hijacking accounts, bypassing two-factor authentication security features enforced by some websites, and much more.” 4
  • Statistics from a plugin security study show that “that 94% of Adobe Shockwave, 70% of Java, 65% of Adobe Reader, and 42% of QuickTime installations in the enterprise were out-of-date” 5 and vulnerable to exploits in the wild.