As it turns out, unfortunately, even having a single extension might present a risk to you – or your organization’s – confidential data. Because a recent security study revealed that more than half of a sampling of 300,000 installed extensions should be categorized as high-risk.
Palo Alto-based SaaS security company Spin.AI released a risk report detailing their assessment of these 300K extensions in use within enterprise environments. Their particular focus was on Chromium-based browser extensions across multiple browsers, like Google Chrome and Microsoft Edge. Keep in mind that these extensions, often used with SaaS apps like Google Workspace and Microsoft 365, have permissions set to allow access to high levels of content. Now think of the risks this access presents, including those to data stored in browsers like Chrome and Edge, or SaaS data stored in platforms like Google Workspace and Microsoft 365.
An under-regulated marketplace
But where are these dangerous extensions coming from? If we get them from the Chrome Web Store or Windows Admin Center, aren’t we safe? Unfortunately, no…or at least, not yet.
Here’s one example:
Back in March, a ChatGPT Chrome browser extension became available through the Chrome Web Store and was advertised on Facebook. It was subsequently installed by over 9,000 users. Unfortunately, what had once been a legitimate open-source browser add-on had been weaponized into a Trojan horse. It proceeded to steal the Facebook login credentials of at least 6,000 corporate and 7,000 VPN accounts.
And unregulated ChatGPT extensions are popping up in the Chrome Web Store (and other places) like crazy. Spin.AI’s researchers discovered that while back in May there were only 11 ChatGPT extensions, 3 months later there are over 200!
And there are other concerns…
Official web stores, as under-regulated as they may currently be, are still quick to remove dangerous extensions once they’re discovered. But there are other things to worry about:
Some perfectly good browser extensions can pick up malicious qualities during the update process. This can happen when an attacker infiltrates an organization’s supply chain and inserts malicious code into a legitimate update. Or, when a developer sells their extension to a third party that has bad intentions.
Some organizations develop their own extensions for internal use and upload them. However, these may also present risk if they aren’t put through the same level of scrutiny and security checks as those available in official stores.
Unknown authors, unknown sources
Spin.AI’s study revealed that many of the browser extensions installed by their corporate subjects – 42,938 to be precise – had unknown authors. This underscores how anyone can easily publish an extension in the official marketplace. Even worse, workers had sourced many of them from outside an official marketplace.
Another factor to consider is how a browser extension might use its permissions to behave in unexpected ways. “For example, an extension could obtain ‘identity’ permission and then use the ‘webrequest’ permission to send this information to a third party,” explained one of the study’s researchers.
Mitigating your organization’s risks
When it comes to the use of extensions, it’s important for organizations to establish, enforce and regularly update security policies surrounding them. Extensions – like other applications – should be assessed for operational, security, privacy, and compliance risks. You should also consider putting automated controls in place to help protect data.
Steps to extension risk mitigation include:
- Discovery/Inventory – Investigate and log all extensions in use organization-wide.
- Risk Assessments – Conduct ongoing assessments of extensions to identify potential security risks. Consider the permissions requested by the extension, whether the author is known, and if so, their reputation, and if they followed security protocols during development.
- Policies – Establish and enforce policies based on third-party risk management frameworks. Include extension adoption policies that require an appropriate evaluation process before installation can take place.
- Controls – Implement automated controls to allow or block extensions and applications based on organizational policies.
And then rinse and repeat annually. Because to effectively mitigate the risks that browser extensions present, you need to have a comprehensive, proactive and regular assessment process. You also need strict policies that are well-known, enforced, and routinely adjusted as risks evolve through time. Only then can you relax, knowing your organization has done all it can to stay safe from threat.