More Than Half of Browser Extensions Pose Security Risks

Many browser extensions that organizations permit employees to use when working with software-as-a-service (SaaS) apps such as Google Workspace and Microsoft 365 have access to high levels of content and present risks such as data theft and compliance issues, a new study has found.

Researchers at Spin.AI recently conducted a risk assessment on some 300,000 browser extensions and third-party OAuth applications in use within enterprise environments. The focus was on Chromium-based browser extensions across multiple browsers such as Google's Chrome and Microsoft's Edge.

High-Risk Extensions

The study showed 51% of all installed extensions were high risk and had the potential to cause extensive damage to the organizations using them. The extensions all had the ability to capture sensitive data from enterprise apps, run malicious JavaScript, and surreptitiously send protected data including banking details and login credentials to external parties.

Most extensions — 53% — that Spin evaluated were productivity-related extensions. But the worst — from a security and privacy standpoint at least — were browser extensions in use within cloud software development environments: Spin assessed 56% of them as high security risks.

"The main takeaway for organizations from this report is the significant cybersecurity risks associated with browser extensions," says Davit Asatryan, one of the authors of a report, released this week. "These extensions, while offering various features to enhance user experience and productivity, can pose serious threats to data stored in browsers such as Chrome and Edge, or SaaS data stored in platforms like Google Workspace and Microsoft 365," he says.

One example is a recent incident where a threat actor uploaded a browser extension that purported to be the legitimate ChatGPT browser add-on but was in reality a Trojan horse that hijacked Facebook accounts. Thousands of users installed the extension and promptly had their Facebook account credentials stolen. The compromised accounts included several thousand business accounts.

Google quickly removed the weaponized extension from its official Chrome Store. But that has not stopped others from freely uploading other ChatGPT extensions to the same store: Spin found more than 200 ChatGPT extensions on the Chrome webstore in August, compared with just 11 in May.

Lax Controls

Spin's analysis showed that organizations with over 2,000 employees have an average of 1,454 installed extensions. The most common among these were productivity-related extensions, tools that helped developers, and extensions that enabled better accessibility. More than one-third (35%) of these extensions presented a high risk, compared with 27% in organizations with fewer than 2,000 employees.

One startling takeaway from Spin's report is the relatively high number of browser extensions — 42,938 — with anonymous authors that organizations appear to be freely using without considering any potential security pitfalls. The statistic is especially concerning given how easily anyone with malicious intent can publish an extension, says Asatryan. Making matters worse is the fact that in some cases, the browser extensions that organizations are using were sourced from outside of an official marketplace.

"Companies also sometimes build their own extensions for internal use and upload them," Asatryan says. "However, this may introduce additional risk, as extensions from these sources might not go through the same level of scrutiny and security checks" as those available in official stores.

Spin found that browsers can be bad from inception or sometimes acquire malicious qualities via automatic updates. That can happen when an attacker infiltrates an organization's supply chain and inserts malicious code into a legitimate update. Developers can also sell their extensions to other third parties that might then update it with malicious capabilities.

Another factor that organizations need to consider is how a browser extension might use its permissions to behave in unexpected ways. "For example, an extension could obtain 'identity' permission and then use the 'webrequest' permission to send this information to a third party," Asatryan says.

It's important for organizations to establish and enforce policies based on third-party risk management frameworks, he notes. They need to assess extensions and applications for operational, security, privacy, and compliance risks, and consider implementing automated controls that allow or block extensions based on organizational policies.

"We recommend that organizations evaluate browser extensions before installing them by considering factors such as the scope of permissions requested by the extension, the developer's reputation, and disclosure of security or compliance audits," Asatryan says. Regular updates and maintenance are important, as are user reviews and ratings as well as any history of data breaches or security incidents.