The news made headlines last weekend a broad attack campaign targeting browser extensions and injecting them with malicious code to steal user credentials. Currently, more than 25 extensions with an installed base of more than two million users have been found to be compromised, and customers are currently working to determine their impact (LayerX, one of the companies involved in protection against malicious extensions, offers a free service to audit and remediate the exposure of organizations – click to register here).
While this is not the first attack targeting browser extensions, the scope and sophistication of this campaign is a significant step forward in terms of threats related to browser extensions and the risks they pose to organizations.
Now that the details of the attack have been made public, users and organizations should assess their exposure to the risk of this attack and browser extensions in general. This article aims to help organizations understand the risk posed by browser extensions, the implications of this attack, and the effective steps they can take to protect themselves (for a detailed overview, see detailed guide about protection against malicious browser extensions).
Browser extensions are the soft floor of web security
Browser extensions have become a ubiquitous part of browsing, and many users often use such extensions to correct spelling, find discount coupons, take notes, and for other productivity purposes. What most users don’t realize, however, is that browser extensions are typically granted broad access rights that can lead to serious data exposure if those permissions fall into the wrong hands.
Common access permissions requested by extensions include access to sensitive user data such as cookies, credentials, browsing data, text input, and more, which can lead to data disclosure on the local endpoint and identity theft of users.
This poses a particular risk to organizations, as many organizations do not control which browser extensions users install on their endpoints, and the theft of corporate account credentials can lead to an organization-wide data exposure and breach.
A new, more dangerous threat:
While the effects of this attack are still unfolding and compromised extensions are still being discovered, there are a number of conclusions that can already be noted:
- Browser extensions are becoming the main threat. This campaign targeting several extensions shows that hackers are taking note of the wide access granted by many permissions and the false sense of security that many users have, and are clearly targeting browser extensions as a means of stealing data.
- GenAI, performance and VPN extensions were specifically targeted: The list of affected extensions shows that extensions related to VPN, data processing (such as notes or data security, or extensions with artificial intelligence) were mainly targeted. It is too early to say whether this is due to the fact that these extensions are more popular (and therefore more attractive to attackers in terms of reach) or because of the permissions granted to these extensions that attackers want to exploit.
- Public extensions in the Chrome store are exposed. It appears that the extensions were hacked as a result of a phishing campaign targeting browser extension publishers on the Chrome Web Store. The information about who to target appears to have been obtained from the online store itself, which includes information about the author of the extension, including their email address. While the Chrome Web Store is the most well-known source of extensions, it’s not the only one, and some enterprise-grade extensions are deployed directly.
How to protect your organization:
Although many users and organizations are unaware of the potential risks associated with browser extensions, there are a number of key actions they can take to protect themselves:
- Audit all extensions: Many organizations do not have a complete picture of all the extensions installed in their environment. Many organizations allow their users to use whatever browser (or browsers) they want to use and install whatever extensions they want. However, without a complete picture of all extensions in all browsers of all users, it is impossible to understand your organization’s threat surface. That’s why a full audit of all browser extensions is a basic requirement for protection against malicious extensions.
- Classify extensions: As this attack, which primarily targeted productivity, VPN, and AI extensions, demonstrates, some categories of extensions are more susceptible to vulnerabilities than others. This is partly due to the popularity of certain types of extensions, which makes them attractive to attack due to their large user base (such as various productivity extensions), and partly due to permissions granted to such extensions that hackers may wish to exploit (such as access to the network and browsing data transmitted by VPN extensions). This is why classifying extensions is a useful practice for evaluating the security of a browser extension.
- List extension permissions: So far I understand which installing extensions in enterprise environments is one side of the coin, the other side of the coin is understanding what these extensions can do. This is done by listing their exact access permissions and listing all the information they can potentially access.
- Assess the risk of expansion: Once they understand what permissions they have set on corporate endpoints and the information those extensions can touch (via their permissions), organizations need to assess the risk that each individual extension carries. A comprehensive risk assessment should cover both the scope of an extension’s permissions (i.e. what it can do) and external parameters such as its reputation, popularity, publisher, method of installation, and more (i.e. how much we trust it ). These parameters should be combined into a single risk score for each extension.
- Applying risk-based adaptive enforcement: Finally, taking into account all the information they have at hand, organizations must apply adaptive risk-based enforcement policies tailored to their usage, needs and risk profile. They can define a policy to block extensions that have certain permissions (such as access to cookies) or define more complex rules tailored to their specific use case (such as block AI and VPN extensions with a “High” risk rating).
While browser extensions provide many performance benefits, they also expand organizations’ threat surface and exposure. The recent attack campaign targeting malicious browser extensions should be a wake-up call for organizations to define their approach to protecting against malicious and compromised browser extensions.
Click here to download the complete guide to protecting against malicious browser extensions to help organizations fully understand the threat, why existing solutions don’t provide adequate coverage, and how they can protect themselves.
