Browser Extensions Are a Security Blindspot: 4 Steps to Take Control

Alon Levin, the Vice President of Product Management at Seraphic Security, explains why browser extensions are a security risk and provides four ways companies can manage them better. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

Browser extensions—third-party, installable software that adds custom functions to a core browser, like ad-blocking, calendar management, and AI-based summarizers—are widely popular. The Chrome Web Store alone offers 145,650 extensions, with tens of thousands more available for other browsers. However, these extensions can pose unique and significant security risks because of their close relationship with browsers. Many browser extensions access sensitive data, but enterprises historically have had little visibility into their risk, forcing them to take privacy disclaimers at face value. Extensions generally have a broad, all-or-nothing approach to user data access requirements to function.

Entering criminal territory, some extensions are built with malicious intent, and legitimate extensions can be compromised by hackers, exposing a vast attack surface that criminals exploit to exfiltrate data, harvest credentials, and inject malicious code. One prime example is last year’s Cyberhaven attack, which began as a targeted phishing attack on one of its developers. This ultimately enabled the threat actor to replace Cyberhaven’s extension with a new version loaded with malicious code. Through automatic updates, the malicious extension was delivered to nearly 400,000 users.

As risks stemming from malicious extensions continue to grow in the wild, enterprise security leaders must put protections and policies into place that monitor extension usage across the organization and educate employees about the risks. Here are four best practices I recommend to IT leaders to mitigate browser extension-based threats:

Enforcing Extension Management Policies 

Extension management policies, such as adhering to an easily accessible list of vetted and approved extensions, give employees clear, jargon-free guidelines to navigate the extensions landscape and keep employee and company data safe. While low-tech, such methods are effective if policy management and enforcement are consistent.

Performing Regular Audits 

Although extension activity can be difficult to observe, regular audits can still monitor the extensions installed across an organization’s devices. This goes for unmanaged devices, too, because employees often access work resources from personal devices. While not a silver bullet, company knowledge of extensions used across all devices on its network can alert leadership to unfamiliar (and possibly dangerous) extensions that may require further investigation.

Educating Your Team 

Employee education is a key aspect of effective malicious browser extensions defense. Regular training will help staff recognize risky extensions, understand permissions prompts, and follow approved usage guidelines. Building awareness won’t just empower employees to make informed decisions about the browser add-ons they choose. It will enable them to contribute to IT’s range of vigilance by flagging potentially dangerous software used by colleagues and third parties.

Augmenting Native Browser Security

Take advantage of native browser controls and policies that can be enforced across managed devices. Adding a layer of extension security defense can alleviate the pressure of manual extension monitoring and auditing, and fill in critical security blind spots.

Browser extensions can be extraordinarily useful, and it’s no surprise that the install rate is only accelerating. This means every enterprise needs to figure browser extensions into its security strategy. Proper management, monitoring, and education will enable employees to continue accessing these productive tools without compromising sensitive enterprise data.