Virtualization Technology News and Information
Navigating the Hidden Risks of Browser Extensions in a SaaS-Dependent World

By Davit Asatryan, Director of Product for Spin.AI

Digital transformation and demand from an increasingly remote workforce has transformed Software-as-a-Service (SaaS) applications into a cornerstone of modern business operations. However, recent reports, like the SaaS Application Risk Report from Spin.AI, show that a staggering 75% of SaaS applications pose a medium to high risk to data stored in platforms like Google Workspace and Microsoft 365. Yet, while it is important to bring attention to SaaS applications and their potential risks, many organizations often overlook an equally concerning risk vector: browser extensions.

Browser extensions have rapidly become ubiquitous, promising to enhance productivity and user experience, but many companies don't realize just how risky many of these extensions actually are. Spin.AI recently evaluated over 300,000 browser extensions and third-party OAuth applications to determine their level of risk and found, among other things, that more than 40K of them have unknown authors. Combine the number of extensions from unknown or untrustworthy developers with the potential risk and you have a powder keg of security vulnerabilities.

The Evolving Landscape of Browser Extensions

Although browser extensions have become almost ubiquitous, this digital landscape is growing so rapidly that keeping track of potential risks is a challenge. Google's Chrome Web Store alone hosts approximately 250,000 extensions, not accounting for extensions available outside of the official marketplace, which also add to the risk.

As noted earlier, that problem intensifies when you consider that many of these extensions have unknown authors and that most large enterprises will have thousands of these extensions in use across their operations either intentionally or unintentionally.

But not all extensions are created equal when it comes to the risks they pose. Many extensions require high levels of permissions to function, potentially capturing sensitive data or executing malicious JavaScript, or requiring read/write permissions to execute certain commands.

Understanding the permissions granted to extensions is pivotal. An extension may start benignly but can turn malicious through updates, potentially without the user's knowledge. Developers may sell their extensions to other companies that could incorporate malicious functionalities. Also, some extensions gather extensive user data, adding a layer of compliance risks. Therefore, monitoring permissions and understanding the possible combinations of these permissions are critical for risk mitigation.

Real-world Consequences

The dangers aren't just theoretical. In a recent incident, a fraudulent extension mimicked a well-known Chat GPT browser extension and was installed by over 9,000 users. This extension hijacked Facebook accounts and managed to steal login credentials from thousands of corporate and VPN accounts before being taken down.

The rapid growth and evolving nature of browser extensions mean that the associated risks are dynamic. As extensions continuously update and change hands, risk assessments need to be ongoing for modern businesses to keep pace.

To manage these risks effectively, organizations should consider the following:

  • Maintain an Inventory: Keep a real-time list of all extensions and SaaS applications that have access to the organizational environment and update the list regularly.
  • Conduct Risk Assessments: Continuously evaluate extensions for operational, security, privacy, and compliance risks. Ask yourself, what does this extension have access to and what can it do with that access.
  • Establish Policies: Develop and enforce guidelines based on third-party risk management frameworks, tailored to the specific needs of the organization. If you are a healthcare organization, for example, you face an entirely different set of regulations and security frameworks than a manufacturing company.
  • Implement Automated Controls: Many modern cybersecurity tools allow you to automatically block or remove extensions based on updated risk assessments and organizational policies.

As the digital workspace continues to evolve, so too will the cybersecurity risks that come with it. While SaaS applications have justifiably received a lot of attention in cybersecurity discussions, browser extensions represent an equally important area that need additional scrutiny. By adopting a robust, proactive approach to manage these risks, organizations can better protect their assets and maintain the integrity of their digital operations.




Davit Asatryan is the Director of Product for Spin.AI, focusing on the All-in-One SaaS Security platform, SpinOne. Davit specializes in SaaS data protection, helping organizations battle Shadow IT, ransomware and data leak issues.

Published Monday, September 25, 2023 7:33 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<September 2023>