Your business is at high risk from Chrome extensions, researchers say

A newly published analysis of more than 300,000 extensions and OAuth applications installed in Chromium-based browsers, including Chrome and Edge, determined that more than half pose a high-security risk to organisations.

The analysis, by Software-as-a-Service (SaaS) security specialist Spin.AI, leveraged AI algorithms for discovery. This revealed that 42,938 of installed extensions came from unknown authors.

“Combining the number of extensions used by unknown or untrusted developers with the sheer number of extensions and apps in use across most organisations today paints a worrisome picture of the potential security vulnerabilities lurking in these extensions,” said David Asatryan, Director of Product at Spin.AI.

Big businesses at big risk from Chrome extensions

Larger organisations, defined in the report as having more than 2,000 employees, are at particular risk. Here, the average number of installed extensions is a whopping 1,454.

Why is this of such concern? Because, the researchers say, browser extensions can “pose the same and even higher risks than third-party SaaS applications to business-critical data”.

Risks such as having access to content that could enable data capture, as well as the ability to run malicious JavaScript. And that’s before considering compliance issues, which are often not considered by business-to-consumer (B2C) developers.

At the heart of mitigating against potentially harmful extensions is correctly understanding user permissions. The Spin.AI report shows how an identity permission could use a secondary webrequest permission to send data to a third party.

Such permissions may appear low risk individually, but combined can lead to higher compliance and security risk.

Improving the Chrome extension risk

In related news, Oliver Dunk, a Developer Relations Engineer for Chrome extensions at Google, has announced measures to improve the extension ecosystem for users.

Starting with Chrome 117, Dunk says, installed extensions that have been removed from the Chrome Web Store will be proactively highlighted.

The change is related to three specific use cases:

  • where an extension is “unpublished” by the developer
  • where it has been removed for violating store policy
  • where it has been marked as malware

“When a user clicks ‘Review’ they will be taken to their extensions and given the choice to either remove the extension or hide the warning if they wish to keep the extension installed,” Dunk said.

Extensions marked as malware will be automatically disabled, as happens already.

How to secure your business

While it’s tempting to think that only big businesses are under attack, that’s far from true. As TechFinitive reported earlier this year, small businesses need to protect themselves from cyberattack.

We have also published guides on the simple step you can take to protect your business and how to secure your business online.

Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.