Are browser extensions leaving your small business vulnerable?
As you read this, how many browser extensions do you have? They’re a useful way to customise your browsing experience, but they could pose a threat to your privacy and security. If your staff use them (on their own devices for work, or on work systems) browser extensions could put your business at risk.
Here’s what to look for – and how to prevent browser extensions being an open door into your business.
What are browser extensions – and are they all risky?
Browser extensions are designed to make life easier when browsing the web, modifying the interface or adding extra functionality. Popular ones block ads, translate text between languages, or add pages to third-party bookmarking apps like Pocket and Evernote. There are thousands available across different browsers, often aiming to boost productivity.
It’s not unheard of for people to be running browser extensions into double digits, particularly in Chrome. But there’s often a price to pay for convenience – including giving away your data. At worst, it could be the gateway to a serious data breach or cyber-attack that could cripple a business. And it’s hard to know what a malicious extension looks like as T&Cs are often complicated, and the majority are created by third-party unknown developers.
What does a malicious extension look like?
When we talk about deliberately malicious extensions, we’re mainly talking about those downloaded from third-party websites. However, some have made it on to the Google Play market recently; a presence there doesn’t mean they’re legitimate.
Researchers recently discovered four ‘sticky note’ app extensions in the Google Chrome Store that were actually generating profit by secretly clicking on pay-per-click ads. How did that work? When you download a browser extension, you are asked to accept permissions. It’s usually a yes / no choice, rather than allowing users to limit what the extensions are able to access.
In theory, browsers including Google Chrome allow users to customise their app permissions, but in practice most users don’t venture deep into the settings. Even basic extensions usually require permission to read and change all data on websites you visit – effectively giving them the power to do anything with your data. If you choose not to grant them that permission, the extension won’t be installed.
It’s not just browsers that present an open door to cybercriminals. Malicious extensions were recently discovered for Facebook Messenger, harvesting users’ data without their knowledge.
What about hacking innocuous extensions?
Browser extensions look attractive to hackers because of their huge user numbers. If hackers gain access to a popular extension they can add malicious content to an update, with users none the wiser. There’s been a rise in this type of hacking. Recently, hackers used phishing to access the plugin Copyfish to serve additional ads to users.
Extensions are notoriously hard to monetise, so often plugins are simply bought out by companies that then turn them into something users aren’t prepared for. That’s what happened to popular Youtube customizer Particle. Once bought, it was immediately turned into adware.
Is it safe to use any extensions?
Browser plugins can be useful, but it’s worth balancing that with the risk of allowing something third-party to ‘read and change’ your data. If you or your staff do need to use extensions, here are few tips to help protect your business:
- Don’t use more extensions than you absolutely need – and review browser extensions whenever a device is handed between staff or upgraded. As well as upping the risk, having too many can also slow your device down.
- Only install from official app stores, which are subject to some level of scrutiny.
- Read the permissions carefully. If an extension you’ve already got requires a new permission, take that as a red flag that it might have been sold or hijacked. Before installing new plugins, take a good look at the permissions and make sure they fit what you’re expecting the app to do. If they don’t seem logical, don’t install it.
- Bolster your security software. At Ratcliff, we use next generation endpoint security systems to keep watch over your network, flagging malicious code wherever it’s found.
Need further advice? We’re happy to help. We provide industry-leading cybersecurity and managed services to London’s small businesses. Contact us to find out how we can help keep your business protected.