Multiple rogue web applications can be used to attack vulnerable browser extension and exploiting private data becomes easier for adversaries post the access is granted. This is alarming mainly because a normal person browsing the internet is caught unaware of something like this even exists.
Various browsers – Chrome, Firefox, Opera extension have been tested and proved to be compromised by the adversaries with right motivation to do it. This can lead to theft of sensitive data residing on a machine or even plant arbitrary codes (mainly malicious) on the victim’s machine which can be executed remotely probably compromising a company network under worst circumstances.
What is a web-application?
A web application is a client-server computer program that a computing device runs in a web browser – such as an online form or browser-based word processor. That’s separate from a browser extension – a small software add-on for customizing a web browser with something like an ad-blocker or a web-clipping tool.
Some of the sensitive information like cookies, browsing history and other installed extensions get recorded. Some Web-apps have access to permanent storage and store all this data until they stay as the extension on the browser. They may trigger download and execution of an arbitrary file on the user system.
That access is unique to web applications, which are subject to what are called a Same Origin Policy (SOP) that bars an app from reading and writing user data between domains. There are however methods by which a specially crafted web application can bypass SOP protections by exploiting privileged browser extensions.
An attacker [uses] a script that is present in a web application currently running in the user browser. The script either belongs to the web application or to a third party. The attacker’s aim here is to establish a communication with installed extensions, in order to access user sensitive information. The extensions privileged capabilities are then exploited via an exchange of messages with scripts in the web application
Although content scripts, background pages and web applications run in separate execution contexts, they can establish contact channels to communicate with one another, mainly APIs [are used] for sending and receiving (listening for) messages between the content scripts, background pages and web applications.
Here is a quick snapshot of browser extensions and web app vulnerability.
Soure : Threatpost