A recent study conducted by Spin.AI has revealed that many browser extensions used by organizations for SaaS apps like Google Workspace and Microsoft 365 pose significant risks to data theft and compliance. The study analyzed 300,000 browser extensions and third-party OAuth applications across enterprise environments, focusing on Chromium-based extensions in browsers such as Chrome and Edge.
According to the study, 51% of all installed extensions were identified as high risk and had the potential to cause extensive damage to organizations. These extensions were capable of capturing sensitive data from enterprise apps, running malicious JavaScript, and sending protected data, including banking details and login credentials, to external parties without detection.
The study found that while 53% of the evaluated extensions were productivity-related, the highest security risks were observed in browser extensions used within cloud software development environments, with 56% of them considered high security risks. This highlights the significant cybersecurity risks associated with browser extensions and the potential threats they pose to data stored in browsers and SaaS platforms.
A recent incident involving a malicious browser extension further emphasizes the dangers posed by these extensions. A threat actor uploaded a browser extension disguised as a legitimate ChatGPT add-on, which led to the hijacking of Facebook accounts and the theft of credentials, including those of several thousand business accounts.
Although the weaponized extension was promptly removed by Google, numerous similar ChatGPT extensions were discovered on the Chrome Web Store in August, indicating a continuing risk. This highlights the need for better controls and scrutiny over the extensions available on official marketplaces.
Spin’s analysis also revealed that organizations with over 2,000 employees had an average of 1,454 installed extensions. Among these, productivity-related extensions were the most common, followed by tools for developers and extensions for better accessibility. However, 35% of these extensions presented high risks, compared to 27% in organizations with fewer than 2,000 employees.
One concerning finding from the study was the prevalence of browser extensions with anonymous authors, with a total of 42,938 extensions falling into this category. These extensions are freely used by organizations without considering potential security risks. This is particularly worrisome as anyone with malicious intent can publish an extension, posing a significant threat to organizations.
Additionally, organizations often source extensions from unofficial marketplaces or build their own extensions for internal use. However, this introduces additional risks as they may not undergo the same level of scrutiny and security checks as those available in official stores.
The study also highlighted that browsers can become malicious either from the start or through automatic updates. Attackers can infiltrate an organization’s supply chain and insert malicious code into a legitimate update. Developers can also sell their extensions to third parties who may then update them with malicious capabilities.
Furthermore, organizations need to consider how browser extensions use their permissions, as they may behave unexpectedly. For example, an extension could obtain identity permission and then use webrequest permission to send this information to a third party, raising privacy concerns.
To mitigate these risks, organizations should establish and enforce policies based on third-party risk management frameworks. It is essential to assess extensions and applications for operational, security, privacy, and compliance risks and implement automated controls that allow or block extensions based on organizational policies.
Furthermore, organizations should evaluate browser extensions before installation, considering factors such as the permissions requested, the developer’s reputation, and any indications of security or compliance audits. Regular updates, maintenance, user reviews, ratings, and a history of data breaches or security incidents should also be taken into account to ensure a secure browsing experience.
In conclusion, the study conducted by Spin.AI emphasizes the significant risks associated with browser extensions used in enterprise environments. Organizations must prioritize the security and privacy of their data by implementing appropriate controls, policies, and scrutiny before using or allowing the installation of browser extensions. By doing so, they can protect against data theft and compliance issues effectively.