Your business is at high risk from Chrome extensions, researchers say
A newly published analysis of more than 300,000 extensions and OAuth applications installed in Chromium-based browsers, including Chrome and Edge, determined that more than half pose a high-security risk to organisations.
The analysis, by Software-as-a-Service (SaaS) security specialist Spin.AI, leveraged AI algorithms for discovery. This revealed that 42,938 of installed extensions came from unknown authors.
“Combining the number of extensions used by unknown or untrusted developers with the sheer number of extensions and apps in use across most organisations today paints a worrisome picture of the potential security vulnerabilities lurking in these extensions,” said David Asatryan, Director of Product at Spin.AI.
Big businesses at big risk from Chrome extensions
Larger organisations, defined in the report as having more than 2,000 employees, are at particular risk. Here, the average number of installed extensions is a whopping 1,454.
Why is this of such concern? Because, the researchers say, browser extensions can “pose the same and even higher risks than third-party SaaS applications to business-critical data”.
Risks such as having access to content that could enable data capture, as well as the ability to run malicious JavaScript. And that’s before considering compliance issues, which are often not considered by business-to-consumer (B2C) developers.
At the heart of mitigating against potentially harmful extensions is correctly understanding user permissions. The Spin.AI report shows how an identity permission could use a secondary webrequest permission to send data to a third party.
Such permissions may appear low risk individually, but combined can lead to higher compliance and security risk.
Improving the Chrome extension risk
In related news, Oliver Dunk, a Developer Relations Engineer for Chrome extensions at Google, has announced measures to improve the extension ecosystem for users.
Starting with Chrome 117, Dunk says, installed extensions that have been removed from the Chrome Web Store will be proactively highlighted.
The change is related to three specific use cases:
- where an extension is “unpublished” by the developer
- where it has been removed for violating store policy
- where it has been marked as malware
“When a user clicks ‘Review’ they will be taken to their extensions and given the choice to either remove the extension or hide the warning if they wish to keep the extension installed,” Dunk said.
Extensions marked as malware will be automatically disabled, as happens already.
How to secure your business
While it’s tempting to think that only big businesses are under attack, that’s far from true. As TechFinitive reported earlier this year, small businesses need to protect themselves from cyberattack.
We have also published guides on the simple step you can take to protect your business and how to secure your business online.
NEXT UP
Ghostbusters proton packs in real life
Would Ghostbusters proton packs be useful in the real world? Richard Trenholm speaks to scientist James Maxwell to find out.
OpenAI’s “magic” GPT-4o update is an iterative release that may herald less AI hype
OpenAI unveils update to GPT-4o, wider access for free users and a desktop version – so does this mark the end of generative AI hype?
What is GPT-4o?
Fresh from the announcement of GPT-4o, we explain what it is, what it can do and how much it costs