Data from real-time reporting tool is now being used in the fight against rogue browser extensions and endpoint malware

In the three and a half years since Scott Helme launched Report URI, the real-time browser security service has grown from handling 10,000 reports per month to around 16,000 reports a second.

This growth presented the British security researcher with no shortage of challenges, as he looked to develop a more efficient infrastructure amid a rapidly growing user base.

At this year’s SteelCon expo in Sheffield, Helme took to the podium to discuss how he overcame these hurdles to ensure Report URI remained a viable proposition – particularly at scale.

After enlisting the services of Cloudflare and Redis to help ease the burden on Report URI’s backend servers, Helme said he started looking into ways to put the vast amounts of data flowing through the program to good use.

“With the service growing to the size that it has, we are now in a position where we can make certain observations on the state of security,” Helme said at SteelCon.

“We started looking at the aggregate data from a bird’s-eye view and thinking, as a service provider, looking down on all that data, can we get more value from that? It turns out we could.”

Rogue extensions

According to Helme, Report URI recently received multiple CSP violation reports from various clients around the world – all of which were all pointing to a malicious .ru domain.

While the reports were all genuine, Helme said it seemed unlikely that an attacker would have been able to inject script on more than 300 sites simultaneously.

“I kept reading through the source and I came across a variable – and the variable was a reference to a Chrome extension ID,” he explained.

“What transpired was that it wasn’t all the websites that had been compromised – a browser extension had gone rogue and was inserting the script onto all the pages that the people who had it installed were visiting.”

After reaching out to the Chromium team, the extension was confirmed to be injecting malware into webpages on the client side.

“This extension is now gone,” said Helme.

Endpoint malware

In addition to being used as a tool to detect malicious browser extensions, Helme explained how Report URI has also been leveraged to track endpoint malware.

“One customer of ours – a big news agency in America – had nailed most of their CSP issues, but they kept on receiving reports they could make no sense of.”

The customer had their own intranet site, which could only be accessed by staff physically inside the organization, but they kept on receiving reports saying users had visited the site and the script source had been violated as it was trying to load content from a Russian domain.

“The first time we started getting these, we thought it was a major incident where someone had hacked into the intranet. But it turned out to be a piece of malware – specifically, a piece of malvertising – that wasn’t on the application itself, but on a client’s machine.

“By looking at the intranet pages the person was going to, the customer was able to guess what department they were in, and they went and found the endpoint.”

Keeping a close watch

Report URI has proved to be a useful tool for website owners looking to improve their site’s security and user experience.

However, with around 80 million unique clients sending through reports each month, Helme said he will continue to look for new ways to extract value from this growing dataset, not only to better protect his customers, but also end users.

“All modern browsers have the ability to become a more active participant in delivering a better browsing experience to your visitors,” he stated.

“I built this product from the ground up to be helpful, and I want to do more good stuff like this with it.”