Power tools and power malware

My OWASP low-code/no-code meetup presentation on the risks of extensions in your browser - and in Visual Studio Code.

Jukka Niiranen
January 16, 2025

In partnership with

We often think that securing Microsoft Power Platform starts from the admin center. The new PPAC experience has a Security hub that collects all the platform capabilities under one starting page. It also shows a prominent security score gauge, just like many other MS cloud admin experiences today.

Power Platform admin center security score visualization and calculation formula.

Plenty of investments have been made during the past few years to build up the security and governance features of Microsoft’s low-code application platform. Today, with Copilot agents being built on top of much of the same framework as Power Apps and Power Automate rely on, their importance for gaining customer trust in new AI driven solutions is paramount.

There’s more to security than meets PPAC’s eye, though. Even if the server-side components today offer a comprehensive control panel for setting up security policies, we must remember the other side of the computing equation: the clients. What software is running on the machines of Power Platform users, makers, developers? How can that interact with the platform services and, most importantly: how could someone else take control of that software?

This is the perspective that I covered in my recent session in the OWASP low-code/no-code security meetup. The Open Worldwide Application Security Project is a nonprofit foundation that works to improve the security of software. Their inventory currently contains 356 projects across the whole spectrum of software, with one of them being the OWASP Low-Code/No-Code Top 10.

I made a separate recording of my own session, to make it easier to reference and share it. The YouTube video above has the following description:

Are Chrome extensions a security threat for low-code developers? Here's a story of how 70,000 Microsoft Power Platform developers recently got compromised when malware found its way into a popular browser extension called Power Pane. In the session, I explain how the incident happened, and how similar threats exist in both open-source and commercial extensions.

Be it Chrome Web Store or Visual Studio Marketplace, the current extension ecosystem has very few mechanisms to keep users secure from malicious code. Despite of being run by the likes of Google and Microsoft, we need to all be aware of the risks associated with extensions distributed through these channels

Readers of this newsletter may recall the original incident with the Dynamics 365 Power Pane extension. I wrote about it in November 2024:

Malware is coming for your Power Platform tools

As the popularity of low-code technology grows, the more attractive it becomes for malicious actors to target. How can the community protect itself from these risks?

www.perspectives.plus/p/malware-in-power-platform-tools

That’s just one part of the story, though. The use of malware code is becoming increasingly popular across the ecosystem of extensions. Chrome is a big target due to its market share, yet Edge and Firefox extensions and marketplaces are similarly vulnerable to misuse. Oh, and then there’s Visual Studio Code.

There’s two sides to the problem. First of all, the general awareness of what these extensions have permissions to do on behalf of the user is not widely recognized. It is incredibly simple to install an extension into Chrome and then have it follow you across all your devices with the same Google account login. Whereas figuring out what exactly the extension A) could do and B) is currently doing requires significant effort. There’s no helpful assistant out there to guide the users.

Where’s Clippy when we need him to help users understand browser extension risks?

Then there’s the false sense of security that the platform vendors create. The likes of Google and Microsoft are managing their extension stores and want to make it easy for developers to come in and publish their code, to strengthen the moat around their ecosystem. These stores provide leaderboards and social signals to generate a buzz around hot new extensions. Great! Now, I assume they also ensure the promoted code is secure for users to run? As if…

Trust issues: stars, badges, and malware

How social signals in free tools are exploited by malicious actors, undermining community-driven solutions.

www.perspectives.plus/p/trust-issues-stars-badges-and-malware

A few days after I had recorded my session, the security researcher who revealed the Karma connection in Chrome Web Store that included the Power Pane extension, published a new article. Titled “Chrome Web Store is a mess”, it details the painful, nearly impossible process for users to report malicious extensions. Whereas reviews are full of obviously fake comments and the “featured” extension badge is practically meaningless. In the end, much of it boils down to how Google doesn’t want any humans to be directly involved in the process:

“Google appears to take the “least effort required” approach towards moderating Chrome Web Store. Their attempts to automate all things moderation do little to deter malicious actors, all while creating considerable issues for authors of legitimate add-ons. Even when reports reach Google’s human moderation team, the actions taken are inconsistent, and Google generally shies away from taking decisive actions against established businesses.”

Wladimir Palant in “Chrome Web Store is a mess”.

When I started to investigate the state of the extension ecosystems, after learning about the Power Pane incident, I discovered a lot of concerning information. It made me think about the false sense of security we may get by simply looking at the guidance and features provided by Microsoft. These client-side security gaps tend to fall outside the platform vendor scope in the shared responsibility model of the cloud.

I’ve got a feeling that AI will only amplify this problem, not solve it. The generative capabilities are not just awesome for phishing campaigns, they also help malware authors become more productive and creative in building and spreading their software. On the legitimate business side, broad availability of AI agents like GitHub Copilot may encourage citizen developers to further explore fusion development patterns that include custom code. So, they install VS Code and explore the marketplace of extensions - all the while there is absolutely no permission management or sandboxing features for these extensions. What could go wrong?

Vscode GitHub project feature request for extension permissions, security sandboxing and update management (from 2018).

As a low-code developer without any formal education on software development, let alone cybersecurity - it’s not that easy for me to navigate these waters. At the same time, I realize there’s an ever-growing audience of app makers with a similar background. If these security issues are new to me, surely they are not known by the vast majority of people that can potentially be affected by them.

So, I try my best to approach this as a learning experience where I don’t have to pretend to be a professional in the security field. (Even though I’m wearing my Microsoft Security hoodie in the video. Thanks, MSUG.FI!) In the same way as I’ve educated others on the possibilities and pitfalls of Power Platform solutions, I want to help the citizen developers out there to make better choices with the technology available to them.

Okay, enough writing for now. Go and watch the video:

Oh, just one more thing! To gain a better understanding of how extensions are typically handled in organizations, I’d request you to choose an option from this quick poll:

Has the security risk of extensions stopped you from using them in Power Platform projects?

For example, using community tools in Chrome or VS Code when building solutions for customers.

If you have any thoughts or feedback on the topic, then remember you can always reply privately to these newsletter emails or leave a comment on the online version for others to see. Thanks!

Here’s Why Over 4 Million Professionals Read Morning Brew

Business news explained in plain English
Straight facts, zero fluff, & plenty of puns
100% free

See for yourself

Links in the presentation

The Karma connection in Chrome Web Store (Almost Secure blog) https://palant.info/2024/10/30/the-karma-connection-in-chrome-web-store/

Browser Extension Security Vulnerabilities (OWASP chear sheets) https://cheatsheetseries.owasp.org/cheatsheets/Browser_Extension_Vulnerabilities_Cheat_Sheet.html

Temptations of an open-source browser extension developer (Hover Zoom+ GitHub project) https://github.com/extesy/hoverzoom/discussions/670

Cyberhaven’s preliminary analysis of the recent malicious Chrome extension https://www.cyberhaven.com/engineering-blog/cyberhavens-preliminary-analysis-of-the-recent-malicious-chrome-extension

Exposing Malicious Extensions: Shocking Statistics from the VS Code Marketplace (ExtensionTotal blog) https://medium.com/extensiontotal/2-6-exposing-malicious-extensions-shocking-statistics-from-the-vs-code-marketplace-cf88b7a7f38f

A Letter to Microsoft: Uncovering Design Flaws of Visual Studio Code Extensions (ExtensionTotal blog) https://medium.com/extensiontotal/3-6-uncovering-design-flaws-in-the-visual-studio-code-marketplace-ea1d8e8b0171

VSCode Extension Trivia: Real or Cake? (ExtensionTotal blog) https://medium.com/extensiontotal/vscode-extension-trivia-real-or-cake-f729adc9e03e

Reply

or to participate.