Newsletter #14: Chrome Extension Security
One area that’s often overlooked in an organization is the management of the use of Chrome Extensions. This is a larger portion of corporate security programs, including endpoint security, email security, user authentication into corporate apps, and onwards.
If you think about it, we do EVERYTHING through our browsers. When we install a chrome extension, we are permitting a 3rd party access to a variety of our browsing data, from banking to our AWS Infrastructure.
When a user installs a chrome extension, they allow a piece of code to run in their browser and access their site data. However, are we really aware of what data is accessed from this code and where it’s being sent?
Recently a popular chrome extension, The Great Suspender, an extension with 2M users, became a delivery mechanism for malware. Details here. Basically, this was a legitimate extension that solved a problem but required a tremendous amount of access. The company then sold the code to a 3rd party, which turned out to have criminal motives, unbeknownst to the author.
This is a form of supply chain attack, similar but different from the Solarwinds attack I mentioned some time ago. However, in this case, they just bought the whole supply chain! LOL.
Things a Chrome Extension Can Access
Here are some things a chrome extension can access:
- Websites you visit and browsing history
- Read data on the website you visit
- Change data on websites you visit
By default, most extensions are active on all websites you visit. For example, a coupon code extension like Honey that will automatically give you a coupon code requires access to read all sites you go on.
You can change that, of course, to only activate with the click of a button or on specific websites, which I recommend.
Consideration has to be made regarding where and to whom the data is being sent.
Here are some things to consider:
- Is it a reputable company/developer or an unknown/obscure entity located somewhere shady?
- Note: Even if it were by a reputable company, as in the case of The Great Suspender, it would not prevent the app/company from selling it to an organization with little known but malicious intentions.
- Does the extension require access to data I’m comfortable with?
Security Overhead vs Usability
One axiom in security is that security is inversely proportional to convenience. There are a few exceptions, of course, such as SSO, but it’s pretty spot on.
What is one to do about chrome extension security when you don’t have a huge IT/Security Team?
There is no good answer, except that the earlier you begin to tackle it or consider it, the better. The larger an organization you are and/or the more sensitive the data you have, the decision is clear.
Here is my quick guide:
- Get an inventory of extensions in your environment. Knowing is half the battle.
- Utilize a tool like https://crxcavator.io/ to cross-check with security permissions.
- Is it possible that this functionality could be done natively with Chrome? It’s sometimes solved in updates, just like tab groups now.
- Educate all your users on chrome extension security. They are often unaware of the risks and may not want such intrusive applications running on their browsers, especially if they use it for personal use as well, which is often the case.
- When considering enforcement:
- Make sure to understand the impact on users. Have data to back up your decision, and have executive buy-in and understand the impact.
- You can do an allow list or dis-allow list. Both have their pros and cons, so consider how you would maintain either.
- Consider automation to allow chrome extensions to be added and easily approved.
In the future, I hope to do a deep dive on this topic. But for now, I just want to raise awareness of this issue. That’s the main point of this newsletter.
Application management on end-user devices is a difficult but important topic. Conduct a threat modeling exercise to help inform your decision on this topic.
Chrome extensions allow external applications access to your user’s browning data, and you may want to consider/review how you inventory & manage chrome extension security. As usual, see below for my advice and tips.
- List of warnings the prompt a user
- Consider the access that does NOT prompt a user
- List of Chrome Permissions
- Amazon suspiciously says browser extension Honey is a security risk, now that PayPal owns it
This article was previously posted in the Newsletter.
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.