Browser extension-based threats continue to make the news, but extensions can improve user experience in the enterprise. IT should mitigate those threats without sacrificing browser UX.
Browser extensions have been around for over 20 years, debuting on Internet Explorer 5. They allow browsers to offer a more customized experience for users, from adding a digital clock to more intrusive extensions for content blocking.
Unfortunately, Google Chrome browser extensions have too much access to user data, and bad actors know how to take advantage. While all major browsers feature extensions, the majority of extension security issues center around Chrome extension security.
Dangers of Chrome extensions
When Chrome extensions were first released, users could download them from any website that wanted to offer them. This created an untenable situation where developers could release malicious extensions masquerading as something benign and useful.
To counteract these Chrome extension security issues, Google discontinued this practice in 2015 and required that all Chrome extensions must be installed through the Chrome Web Store. This way, Google could institute a review process of all Chrome extensions, similar to the process that mobile apps go through before being published in a mobile OS' app store.
Unfortunately, this hasn't prevented dangerous extensions from reaching users as the review process is automatic. Bad actors can trick this process fairly easily, and users are the ones to pay the price for malicious extensions. For example, in 2018 a botnet called Droidclub resulted in over 400,000 infected computers that artificially raised ad impressions.
The biggest worry regarding Chrome extension security involves permissions. Depending on the permission the extensions request, extensions can access browser history, passwords and other critical and sensitive info. Google has moved slowly in addressing issues, often letting known malicious extensions remain on the Chrome Web Store until publications write about them, but they have made progress.
In 2019, Google announced that developers must use permissions that provided the least amount of access to user data. Essentially, if two permissions would allow a Chrome extension access to data to function, the developer must use the one with the least amount of access.
Chrome extension security versus usability
While extensions can be dangerous, that doesn't mean organizations can't use them and keep sensitive data safe at the same time.
Google offers a few options for organizations worried about Chrome extension security. Two common methods involve setting policies against user profiles or permissions. The former requires every user to have and log into a G Suite account, which admins can set policies against via the Google Admin console. For organizations that deploy Windows desktops, admins can use Group Policy or Windows Registry to block Chrome extensions based upon specific permissions.
Google's newest Chrome extension security improvement, Chrome Browser Cloud Management (CBCM), was specifically designed to improve extension management. The goal of CBCM is to provide users access to extensions, but still give admins some oversight and control.
Within the dashboard, admins can select permissions they don't want any Chrome extension to have, prevent download and installation on managed devices and disable extensions completely on specific websites. For example, certain websites may need to block all extensions for security purposes, but, overall, the organization can allow some user independence. CBCM also doesn't require users to log into a G Suite account. Instead, it uses an enrollment token that provisions Chrome on each endpoint.
Duo Security released a free tool CRXcavator that IT professionals should consider. CRXcavator allows IT admins to review any Chrome extension's security stance. The tool reviews extensions against a few criteria, including metadata, user ratings and content security, and then provides a numerical risk score.