The cybersecurity threat of browser extensions
Originally posted at cybernews.com
Traditionally, businesses have automatically trusted anyone and anything inside the corporate network. In a digital world, most are now adopting a zero-trust architecture that trusts no one and nothing. But some companies are still using the traditional approach, making them more vulnerable to attacks in trusted applications.
Every device in every organization in the world will have at least one internet browser installed. Unfortunately, over the last few years, the humble web browser has become the primary target for attackers and hackers looking to exploit vulnerabilities. Employees will all use various browsers from the usual suspect’s Google Chrome, Firefox, Safari, or Edge. But users often get more than they bargained for when they add third-party extensions to their browser of choice.
Beware of malware disguised as browser extensions
Most users will have added at least one browser extension such as LastPass for their passwords or an adblocker. For the most part, browser add-ons are helpful tools that enable us to work quicker and more efficiently online. But they also represent a lucrative opportunity for the bad guys.
Browser extensions have always been attractive to cybercriminals looking for innovative ways to add malicious code onto unsuspecting users’ machines.
Many are even designed as tools while secretly harvesting information about every website people visit before selling the data on to the highest bidder.Researchers at anti-virus vendor Avast discovered that 28 third-party Google Chrome and Microsoft Edge extensions associated with some of the most popular tech platforms were infected with malware. As a result, around 3 million people using these extensions were impacted. In other research, AdGuard revealed that over 80 million users were tricked into downloading a malicious browser extension disguised as legit add-ons like adblockers.
When endlessly scrolling online and personalizing our browser, it’s easy to forget that it stores invaluable information about you. Date of birth, email addresses, passwords, geolocations, and cookies that follow you around every website you visit are just a few prominent examples. But when did you last consider if you were happy to risk that browser extension that you never use with a treasure trove of your personal information?
How the web browser became an overlooked attack vector
According to Verizon’s data breach investigations report, 80% of web application attacks result in credential stealing. Once again, rogue browser extensions combined with social engineering techniques can turn the web browser into an attack vector.
The Chrome Web Store has more than 180,000 browser extensions.
Sure, they are heavily vetted by Google, but over time they often get sold to bad actors. The new owners can easily update the extension with malicious new features and upload it to the Chrome Web Store. The auto-update feature will quickly install the latest version to all the existing users.
Sometimes the plugin’s creator can be targeted by hackers. For example, a few years ago, Chris Pederick, maker of the Web Developer for Chrome extension, discovered that hackers had phished his Google account. The successful attack enabled them to update the software to a different version and push the update to over one million users. Despite these threats, many businesses have been blissfully unaware of what browser extensions exist in the browsers of every corporate device or know what they are doing.
Better protect yourself and your organization
As a rule, you should only ever download browser extensions from companies you trust and double-check that recent reviews do not reveal any red flags. Before committing to installing any add-ons, don’t make the mistake of hitting Next or OK. Instead, check the permissions and requests to access your information. If you do not feel the extensions require that information for its core functionality, maybe you should consider abandoning the install.
On corporate machines, the stakes are much higher. A business runs the risk of exposing their company IP and inviting security vulnerabilities on their network. At the very least, they should explore the various permissions to make a group-wide decision on what is or isn’t acceptable to be enabled on devices. But you don’t have to do it all on your own. Google provides a helpful guide on managing extensions in the enterprise to test and evaluate all Chrome Browser extensions for your organization.
The most important step for users is to ensure that you use as few extensions as possible.
Also, remember to clear our old extensions that you no longer use. Finally, trust your instincts and be vigilant before adding anything to your browser. Get the balance right, and you can add excellent new functions and features that boost your productivity and make you more efficient.
If you ever notice sluggish performance or anything suspicious from your browsing experience, always remember that the browsing extensions and add-ins that once promised you value could now be the biggest source of your problems.