Chrome Extension Security
Chrome extensions allow external applications access to your user’s browsing data and you may want to consider/review how you inventory and manage chrome extensions.
Chrome extensions allow external applications access to your user’s browsing data and you may want to consider/review how you inventory and manage chrome extensions. As usual see below for my advice and tips.
One area that’s often overlooked in an organization is management of the use of Chrome Extensions. This is a larger portion of corporate security programs, which includes endpoint security, email security, user authentication into corporate apps, and onwards.
If you think about it, we do EVERYTHING through our browsers. From banking, to logging into our AWS Infrastructure. When we install a chrome extension, we are giving permission to a 3rd party access to a variety of our browsing data.
When a user installs a chrome extension, they are allowing a piece of code to run in their browser and access their site data. However, are we really aware of what data is accessed from this code and where it’s being sent to?
Recently a popular chrome extension, The Great Suspender, an extension that had 2M users became a delivery mechanism for malware. Details here. Basically, this was a legitimate extension that solved a problem, but required a tremendous amount of access. The company then sold the code to a 3rd party, which turned out to have criminal motives, unbeknownst to the author.
This is a form of supply chain attack, similar but different, as the Solarwinds attack I mentioned some time ago. However, in this case, they just bought the whole supply chain! LOL
Here are some things a chrome extension can access:
Websites you visit and browsing history
Read data on website you visit
Change data on websites you visit
By default, most extensions are active on all websites you visit. For example a coupon code extension like Honey that will automatically give you a coupon code requires access to read all sites you go to:
You can change that of course to only activate on the click of a button or on specific websites, which I recommend.
Consideration has to be made regarding where, and to whom, the data is being sent to.
Is it a reputable company/developer or an unknown/obscure entity located somewhere shady?
Note: Even if it was by a reputable company, as in the case of The Great Suspender, it would not prevent the app/company selling it to an organization with little known, but malicious intentions.
Does the extension require access to data I’m comfortable with?
Security Overhead vs Usability
One axiom in security is that security is inversely proportional to convenience. There are a few exceptions of course such as SSO, but it’s pretty spot on.
What is one to do about chrome extension security when you don’t have a huge IT/Security Team?
There is no good answer, except that the earlier you begin to tackle it or consider it, the better. The larger an organization you are and/or the more sensitive the data you have, then the decision is clear.
Here is my quick guide:
Get an inventory of extensions in your environment. Knowing is half the battle.
Utilize a tool like https://crxcavator.io/ to cross check with security permissions
Is it possible that this functionality could be done natively with Chrome? It’s sometimes solved in updates, just like tab groups now.
Educate all your users on chrome extension security. They are often simply unaware of the risks, and may also not want such intrusive applications running on their browsers. Especially if they use it for personal use as well, which is often the case.
When considering enforcement:
Make sure to understand the impact to users. Have data to backup your decision, and have executive buy in and understanding of the impact.
You can do an Allow list or Dis-Allow list. Both have their pros and cons. Considering how you would maintain either.
Consider some sort of automation to allow chrome extensions to be added and easily approved.
In the future I hope to do a deep dive on this topic, but for now I just want to raise awareness of this issue, the main point of this newsletter.
Application management on end-user devices is a difficult, but important topic. Conduct a threat modeling exercise to help inform your decision on this topic.
Consider the access that does NOT prompt a user