Browser backdoors: Securing the new frontline of shadow IT

Browser extensions are a prime target for cybercriminals. And this isn’t just a consumer problem – it’s a new frontier in enterprises’ battle against shadow IT.

Ultimately, more extension permissions result in potentially bigger attack surfaces. Research shows that the average enterprise counts almost 1500 browser extensions across its ecosystem – even one bad add-on can cause reputational, financial, and privacy problems.

Going forward, admins need to step up and recognize the threat, take back control, and equip employees to serve as the first line of defense against these digital incursions.

Recognize the threat

Browser backdoors are a real and growing threat to enterprises. Researchers from Stanford University and the CISPA Helmholtz Center for Information Security set out to find just how much of a risk and returned with some concerning findings.

In the past three years, 280 million Chrome extension installs globally contained malware, and many of these dangerous extensions were available on the Chrome store for an extended period. For example, extensions with malware stayed up for more than a year (380 days) while extensions with vulnerable code were available for more than 1,248 days, on average. This matters because, once inside, malware-plagued extensions can cause havoc, from stealing plain-text passwords to draining bank accounts.

Google hit back in a blog post, claiming that less than 1% of the 250,000 extensions available on the Chrome store were found to include malware. In any case, this is still a potential backdoor that should be defended against accordingly, and it isn’t just a Chrome problem. Mozilla – the brains behind Firefox – also needed to step in a few years ago after more than half a million users downloaded malicious add-ons that blocked software updates and caused security headaches.

In my view, these dodgy extensions can be just as dangerous as malicious apps. Therefore, in much the same way admins mustn’t be afraid to blacklist apps that peek behind their firewall, the same ethos applies to weeding out browser extensions – when in doubt, block it out.

Take back browser control

Here, extension governance is key, and admins can and should set some ground rules to stop bad actors. Platforms like unified endpoint management (UEM) make this easy by enabling whitelisting, blacklisting and automatically installing or uninstalling extensions from a centralized console. Additionally, such platforms usually offer managed browsers, adding another layer to what employees can and can’t do on corporate devices.

Likewise, UEM platforms can ensure that users are running the latest version of the web browser and updating as necessary. Coupling this with endpoint detection and response can also help to identify if a breach takes place, swiftly identifying and responding to active and potential security threats that aren’t captured by typical antivirus programs, anti-malware software, and other traditional security tools.

Keep in mind that even if ecosystem orchestrators like Google and Mozilla remove a questionable extension from their respective store, it isn’t automatically removed from the browser itself. Rather, the extension will remain active until the next browser update cycle, leaving companies potentially exposed in the interim. Again, this makes the job of admins that much more important – requiring them to stay active and alert in the fight against browser backdoors.

Nonetheless, it’s heartening to see tech companies realize this threat and help admins. In June, Apple – with its browser, Safari – announced new mobile device management changes at its Worldwide Developers Conference. Now, Mac admins will enjoy greater control over defining allowed extensions, controlling managed extensions, and configuring extension website access.

Stop threats at the gate

To me, browsers are yet another example of the pervasive danger of shadow IT. As employees work hybrid or from home, often from their own endpoint or device, they can pick and choose the extensions they want. Studies tell us that companies give employees a certain amount of freedom with extensions, but often require approval at certain points or for specific categories of extensions.

Therefore, it’s up to admins to help users understand what is and isn’t safe. This can take the form of a one-off or recurring training session that instructs employees to consider if an extension requires more permissions than usual or whether the app author is difficult to identify – usually red flags. Ask your team to rethink their relationship with extensions: Is it necessary? Does it look safe? Do we already have approved software that achieves the same end?

Having employees ask and answer these questions can prevent unwanted or unneeded extensions from even having the chance to cause issues. Co-opting employees as a cybersecurity solution rather than a problem goes a long way to stopping malicious extensions at the gate.

At the end of the day, browser criminals will continue to be a thing. Chrome, for example, is the world’s biggest browser with a two-thirds market share and malware can sneak in. The best bet for admins and enterprises alike is to stop bad extensions from the get-go with training, guardrails, and vigilance.