By Davit Asatryan, Director of Product
for Spin.AI
Digital transformation and demand from an
increasingly remote workforce has transformed Software-as-a-Service (SaaS)
applications into a cornerstone of modern business operations. However, recent
reports, like the SaaS Application Risk Report from Spin.AI,
show that a staggering 75% of SaaS applications pose a medium to high risk to
data stored in platforms like Google Workspace and Microsoft 365. Yet, while it
is important to bring attention to SaaS applications and their potential risks,
many organizations often overlook an equally concerning risk vector: browser
extensions.
Browser extensions have rapidly become
ubiquitous, promising to enhance productivity and user experience, but many
companies don't realize just how risky many of these extensions actually are. Spin.AI recently evaluated over 300,000 browser
extensions and third-party OAuth applications to determine their
level of risk and found, among other things, that more than 40K of them have
unknown authors. Combine the number of extensions from unknown or untrustworthy
developers with the potential risk and you have a powder keg of security
vulnerabilities.
The
Evolving Landscape of Browser Extensions
Although browser extensions have become almost
ubiquitous, this digital landscape is growing so rapidly that keeping track of
potential risks is a challenge. Google's Chrome Web Store alone hosts
approximately 250,000 extensions, not accounting for extensions available
outside of the official marketplace, which also add to the risk.
As noted earlier, that problem intensifies
when you consider that many of these extensions have unknown authors and that
most large enterprises will have thousands of these extensions in use across
their operations either intentionally or unintentionally.
But not all extensions are created equal when
it comes to the risks they pose. Many extensions require high levels of
permissions to function, potentially capturing sensitive data or executing
malicious JavaScript, or requiring read/write permissions to execute certain
commands.
Understanding the permissions granted to
extensions is pivotal. An extension may start benignly but can turn malicious
through updates, potentially without the user's knowledge. Developers may sell
their extensions to other companies that could incorporate malicious
functionalities. Also, some extensions gather extensive user data, adding a
layer of compliance risks. Therefore, monitoring permissions and understanding
the possible combinations of these permissions are critical for risk
mitigation.
Real-world
Consequences
The dangers aren't just theoretical. In a recent incident, a fraudulent extension
mimicked a well-known Chat GPT browser extension and was installed by over
9,000 users. This extension hijacked Facebook accounts and managed to steal
login credentials from thousands of corporate and VPN accounts before being taken
down.
The rapid growth and evolving nature of
browser extensions mean that the associated risks are dynamic. As extensions
continuously update and change hands, risk assessments need to be ongoing for
modern businesses to keep pace.
To manage these risks effectively,
organizations should consider the following:
- Maintain an Inventory: Keep a
real-time list of all extensions and SaaS applications that have access to the
organizational environment and update the list regularly.
- Conduct Risk Assessments:
Continuously evaluate extensions for operational, security, privacy, and
compliance risks. Ask yourself, what does this extension have access to and
what can it do with that access.
- Establish Policies: Develop and
enforce guidelines based on third-party risk management frameworks, tailored to
the specific needs of the organization. If you are a healthcare organization,
for example, you face an entirely different set of regulations and security
frameworks than a manufacturing company.
- Implement Automated Controls: Many
modern cybersecurity tools allow you to automatically block or remove
extensions based on updated risk assessments and organizational policies.
As the digital workspace continues to evolve,
so too will the cybersecurity risks that come with it. While SaaS applications
have justifiably received a lot of attention in cybersecurity discussions,
browser extensions represent an equally important area that need additional
scrutiny. By adopting a robust, proactive approach to manage these risks,
organizations can better protect their assets and maintain the integrity of
their digital operations.
##
ABOUT THE AUTHOR
Davit Asatryan is the Director of Product
for Spin.AI,
focusing on the All-in-One SaaS Security platform, SpinOne. Davit specializes
in SaaS data protection, helping organizations battle Shadow IT, ransomware and
data leak issues.