Browser Extensions: A Hidden Gateway for Cybercriminals

The way we work continues to evolve – shifting critical business applications from the hardened data center to the web browser. Users can log in from anywhere with an Internet connection and access web apps, Software as a Service (SaaS) platforms and other web-based tools wherever business takes them.

As browsers continue to grow in importance, browser functionality has had to keep up. Enter browser extensions – software modules that you can layer on top of default browser capabilities to do specialized tasks while interacting on the Internet. Extensions allow users to block ads, synch bookmarks between devices, take notes, save passwords, capture screenshots and do just about anything that saves them time or makes them more productive.

However, as beneficial as extensions can be to a user, they also pose a great risk to the organization. Threat actors are increasingly targeting browser extensions as a way to breach enterprise networks, and IT teams lack the visibility and control they need to stop these attacks.

Extensions pose a major risk

Browser extensions are inherently hard to secure. First, they can be updated by just about any developer with a good reputation – not just the original publisher – which allows anyone to insert malware into the latest update. At the same time, users typically do not have to go through IT to install an extension on their machine. Nor do they even have to ask permission. Security teams really have no visibility into these browser-based tools that have shockingly open access to critical enterprise data and applications.

Threat actors are using the lack of visibility into browser activity to breach distributed end points. From there, they can lay in wait for days or months and search for ways to infiltrate the enterprise network. For example, a myriad of fake ChatGPT extensions are offered through official app stores. Essentially malware, these extensions give developers access to users’ systems, record keystrokes, capture screenshots, deliver a payload or exfiltrate data.

Organizations can’t simply block all extension downloads. They’d have a user revolt on their hands from users who use the extensions to be more productive. They also can’t require permission as it would take time and resources to approve requests or maintain white and black lists. And leaving security to users’ good judgment is certainly not a winning strategy. Not only are users not trained to detect suspicious downloads, they have every incentive to find a workaround so they can remain productive.

The need for better visibility and control

Organizations need to find a way to identify malicious extensions and prevent them from gaining an initial foothold on the enterprise network. This can be accomplished through better browser visibility and control.

1. Focus on prevention

Isolation allows organizations to block malicious extensions without limiting access to safe extensions. It works by opening the installer page in a remote browser in the cloud, tricking any potential malware into thinking it’s on the end point and executing its payload. Malicious payloads can then be quarantined in a sandbox – well away from the end device.

2. Identify evasive threats

If a malicious extension is able to install itself on an endpoint, it can gain privileged status and start spreading through the network. IT teams need visibility into the extension’s behavior and identify evasive actions. Prevention tools powered by artificial intelligence (AI) and machine learning (ML) should be able to identify fake logos, suspicious fonts and other indicators that an extension is not what it purports to be. They can then generate automated alerts and enriched threat intelligence for better and faster incident response.

Empower your users safely

Browser extensions are a boon for today’s distributed users – allowing them to add specialized capabilities directly on their browsers so they can improve productivity on the internet. But IT has virtually no visibility into the behavior of these extensions – posing a significant risk to the organization. Better visibility and control (through isolation and AI/ML powered analytics tools) can help mitigate these risks, giving IT teams the ability to detect, stop and remediate malicious extensions without impacting user productivity.