A newly published analysis of more than 300,000 extensions and OAuth applications installed in Chromium-based browsers, including Chrome and Edge, determined that more than half pose a high-security risk to organisations.
The analysis, by Software-as-a-Service (SaaS) security specialist Spin.AI, leveraged AI algorithms for discovery. This revealed that 42,938 of installed extensions came from unknown authors.
“Combining the number of extensions used by unknown or untrusted developers with the sheer number of extensions and apps in use across most organisations today paints a worrisome picture of the potential security vulnerabilities lurking in these extensions,” said David Asatryan, Director of Product at Spin.AI.
Big businesses at big risk from Chrome extensions
Larger organisations, defined in the report as having more than 2,000 employees, are at particular risk. Here, the average number of installed extensions is a whopping 1,454.
Why is this of such concern? Because, the researchers say, browser extensions can “pose the same and even higher risks than third-party SaaS applications to business-critical data”.
At the heart of mitigating against potentially harmful extensions is correctly understanding user permissions. The Spin.AI report shows how an identity permission could use a secondary webrequest permission to send data to a third party.
Such permissions may appear low risk individually, but combined can lead to higher compliance and security risk.
Improving the Chrome extension risk
In related news, Oliver Dunk, a Developer Relations Engineer for Chrome extensions at Google, has announced measures to improve the extension ecosystem for users.
Starting with Chrome 117, Dunk says, installed extensions that have been removed from the Chrome Web Store will be proactively highlighted.
The change is related to three specific use cases:
- where an extension is “unpublished” by the developer
- where it has been removed for violating store policy
- where it has been marked as malware
“When a user clicks ‘Review’ they will be taken to their extensions and given the choice to either remove the extension or hide the warning if they wish to keep the extension installed,” Dunk said.
Extensions marked as malware will be automatically disabled, as happens already.
How to secure your business
While it’s tempting to think that only big businesses are under attack, that’s far from true. As TechFinitive reported earlier this year, small businesses need to protect themselves from cyberattack.
We have also published guides on the simple step you can take to protect your business and how to secure your business online.
Nathalie Parent, Chief People Officer at Shift Technology: “HR is the conscience of an organisation”
For more than 30 years, Nathalie Parent has led global HR teams, working primarily with software companies. Today she’s Chief People Officer at Shift Technology
Amazon introduces new storage class that makes it cheaper to store rarely used files
Robot carers are real, but caregiving has bigger problems, writes Richard Trenholm in this FlashForward edition