A recent study has revealed that numerous browser extensions approved for use by employees with software-as-a-service (SaaS) applications like Google Workspace and Microsoft 365 possess extensive content access, raising concerns about potential data theft and compliance breaches within organizations.

Extensions with Elevated Risk

The study uncovered that 51% of installed extensions were categorized as high-risk, with the potential to inflict significant harm on the organizations employing them. These extensions possessed the capability to collect sensitive data from enterprise applications, execute malicious JavaScript, and covertly transmit protected information, such as banking details and login credentials, to external entities.

Of the extensions evaluated by Spin, the majority (53%) were productivity-focused. However, the most alarming findings, from a security and privacy perspective, pertained to browser extensions used in cloud software development environments, with 56% of them deemed high security risks.

The key message for organizations in this report is the substantial cybersecurity risks associated with browser extensions,” emphasizes Davit Asatryan, one of the report’s authors, released this week. He adds, “While these extensions offer various features to enhance user experience and productivity, they can also present serious threats to data stored in browsers like Chrome and Edge, as well as SaaS data within platforms such as Google Workspace and Microsoft 365.”

As a case in point, there was a recent incident where a malicious actor uploaded a browser extension that masqueraded as the legitimate ChatGPT browser add-on but, in reality, was a Trojan horse designed to hijack Facebook accounts. Thousands of users installed this extension, leading to the theft of their Facebook account credentials. This breach affected several thousand business accounts.

Google acted swiftly to remove the weaponized extension from its official Chrome Store. However, this hasn’t deterred others from uploading various ChatGPT extensions to the same store. In August, Spin identified over 200 ChatGPT extensions on the Chrome webstore, a significant increase from the 11 identified in May.

Insufficient Controls

Spin’s analysis reveals that organizations with over 2,000 employees typically have an average of 1,454 installed extensions. The most common types include productivity-related extensions, developer tools, and accessibility enhancers. Surprisingly, 35% of these extensions pose a high risk, compared to 27% in organizations with fewer than 2,000 employees.

One alarming finding from Spin’s report is the prevalence of browser extensions with anonymous authors—42,938 in total. These extensions are utilized by organizations without due consideration for potential security risks. This is especially concerning because it’s relatively easy for malicious actors to publish extensions, notes Asatryan. Adding to the concern, some of the extensions used by organizations originate from sources outside official marketplaces.

Asatryan also highlights that organizations sometimes create their own extensions for internal use and upload them. However, this practice can introduce additional risks as such extensions may not undergo the same level of scrutiny and security checks as those available in official stores.

Spin’s research also uncovered instances where browsers initially pose no threat but acquire malicious characteristics through automatic updates. This can occur when attackers infiltrate an organization’s supply chain and inject malicious code into a legitimate update. Developers may also sell their extensions to third parties who then introduce malicious functionalities through updates.

Another consideration is how a browser extension can potentially misuse its permissions to behave unexpectedly. For instance, an extension granted ‘identity’ permission could use ‘webrequest’ permission to transmit this information to a third party, Asatryan explains.

To mitigate these risks, organizations are advised to establish and enforce policies based on third-party risk management frameworks. They should evaluate extensions and applications for operational, security, privacy, and compliance risks and consider implementing automated controls aligned with organizational policies. Asatryan recommends assessing extensions before installation by examining permission scopes, developer reputations, security and compliance audits, as well as reviewing user feedback, ratings, and any history of data breaches or security incidents. Regular updates and maintenance are also crucial.