In a 2010 episode of South Park, Kyle failed to read a laboriously long end-user agreement before downloading a piece of software. As a result, he found himself legally obliged to take part in a hideous human centipede experiment.
We’ve got some stories about Ts & Cs, but we haven’t seen anything quite this bad. But we’re betting you are, fairly regularly, unwittingly signing up to alarming terms and conditions. Ones that are a bit like throwing an unknown party the keys to your company and telling them to fill their boots.
In this post, we’re going to look at browser extension security risks. These extremely handy software products piggy-back on browsers such as Chrome or Firefox to perform useful tasks. It turns out a whopping 51% of them are considered high risk and could damage your organisation.
Read on for our browser security risk guide, including what to do to prevent browser security issues from affecting your business.
Remind Me – What is a Browser Extension?
A browser extension is a plug-in that adds features to your browser. For instance, Grammarly for checking spelling and grammar, Adblock Plus for repelling unwanted ads, and LastPass for password security.
To work properly, the extension needs permission to read and change the content of web pages you view. It simply can’t work without this access.
What, Like a ‘Peek and Tweak’ Here and There to Make it Run?
Nope. Google Chrome, for example, requires the ability to access and alter ALL of your data on EVERY website you visit.
I’m Starting to Get the South Park User Agreement Reference…
Good. Because in the wrong hands, these kinds of wholesale permissions can capture sensitive data from organisations, run malicious JavaScript and send protected data such as sensitive employee information or banking details to third parties. They are a major browser security issue.
Why Would We Even Give These Permissions?
Because it appears to be a fundamental rule of human nature that we want time-saving apps more than we want privacy and security. The finger needs pointing at some well-known app developers too.
In a less-than-above-board move, the Google Translate extension doesn’t reveal it needs to access ALL data from ALL websites until you are actually installing the extension. By this point, most people are in ‘Whatever, just give me the goods’ mode.
It Sounds Bad, but We’re Talking About a Few ‘Bad Apple’ Apps, Right?
Unfortunately not. SaaS security company Spin.AI assessed 300,00 browser extensions and came up with some hair-raising browser security takeaways:
- Organisations with over 2,000 employees had an average of 1,454 browser extensions installed
- 51% had ‘overly permissive access’ and could carry out potentially malicious commands
- A hefty proportion of their 300,000 sample browser extensions – 42,938 – were created by anonymous authors. (Anonymous author = very bad.)
What are the Risks of Installing Browser Extensions?
Browser extension security risks are frequently connected to the wholesale permissions around reading and altering data on web pages required by developers.
These carte blanche permissions can often be exploited by criminals. In the wrong hands, they can be used to manipulate a page’s contents, access classified information, take control of searches and insert malicious prompts to encourage a user to give up sensitive data.
They can inject affiliate links into web pages, display unwanted ads and pop ups and collect data such as your IP address and browsing behaviour.
At the sneaky end of the spectrum, they could be using your browser to create income; at the nefarious end, they could be stealing your bank details.
Examples of browser security breaches ‘in the wild’, include:
- Inserting extra ads into your browser
- Creating a new search bar that leads to third-party shopping sites, to create affiliate link income
- Cookie stuffing in your browser, so that criminals can pretend they’ve referred you to shopping websites to pick up referral/ affiliate income
- Inserting code that views videos in the background of your browser, to clock up more views
- Stealing passwords and security information from the text input field in websites
How Can I Make My Browser More Secure?
- Create a risk management policy for dealing with all third-party software, including browser extensions. (Important cyber security principle: don’t trust people to ‘do the right thing’.)
- Evaluate browser extensions before installing them. Things you should consider include the scope of permissions requested, developer reputation, and any compliance risk considerations.
- Only download browser extensions from a reliable and well-known source, such as Microsoft Edge Add-ons, Chrome Web Store or Firefox Add-ons.
- Use Microsoft products such as Defender for Endpoint to enforce web filtering and to block access to malicious websites. (As an example, Endpoint can block access to newly registered domains which are often used for cybercrime campaigns.)
- Monitor the browser extensions used by your people via Microsoft Defender Vulnerability Management. Intersys report on browser extensions as part of their SOC Service using their Cyber Vulnerability Management Software.
- Use Microsoft Intune, a cloud-based endpoint management solution, to manage and block users’ access to apps.
For IT teams our Senior Security Consultant Jake Ives recommends businesses take the below browser security precautions:
- Implement configuration profiles in Intune to prevent users from installing browser extensions OR if on-premise, import the ADMX templates for different browsers into Group Policy and implement policies to block installation of browser extensions.
- In Intune and Group Policy you can define which extensions can automatically be installed on devices.
- Prevent users from signing into browsers using their personal accounts, because this will sync any extensions used at home, which may not be suitable in the workplace.
- Google Chrome has a built-in mechanism to scan for/remove malicious extensions, unwanted ads, pop-ups and malware. Just look for Google Chrome Help.
- Roll out policies to disable ‘Continue running background apps when Google Chrome is closed’. This will stop those pesky advertisement/clickbait notifications if a dodgy extension is installed.
- Roll out the policy to disable ‘Allow running plugins that are outdated’.
Oh, and do read the end-user agreement. You don’t want to end up like Kyle…
Intersys is a specialist cyber-security services provider that helps businesses, NGOs, schools and universities with all aspects of cyber security services as well as a fully managed SOC-as-a-service. To find out more about how we can help you, contact us now.