Spin.AI: Browser Extensions Bring High Security Risks

Software-as-a-service (SaaS) applications have become foundational to enterprises that use them to drive productivity, improve the customer experience, and connect an increasingly distributed workforce. That said, the software also increases security risks to companies, broadening the attack surface for bad actors and exposing data to more threats.

Spin.AI, a six-year-old company that offers its SpinOne SaaS security platform, has been analyzing the risks that come with SaaS adoption. In March, the firm released a report indicating that more than 75% of SaaS applications were either medium- or high-risk, meaning they represented significant risks to data stored on the Microsoft 365 and Google Workspace platforms.

This week Spin.AI released another report, this one turning the focus on browser extensions, widely used software modules for customizing a web browser, with plug-ins including cookie managers, ad blockers, content filters, and custom scripting.

Spin.AI used its AI algorithms on the SpinOne platform to analyze more than 300,000 extensions and third-party OAuth applications being used in businesses and based the assessments on the risks they pose to security, compliance, privacy, and operations.

The company focused on Chromium-based browsers and found that almost 51% of installed extensions used in Microsoft 365 and Google Workspace were high-risk, with another 44.5 being medium-risk.

This is something to be concerned about, according to Davit Asatryan, director of product at Spin.AI.

“Medium or high-risk extensions pose serious threats,” Asatryan wrote in the blog post. “Medium and high-risk apps have access to high levels of content, allowing them to capture data or run potentially malicious JavaScript. Furthermore, B2C developers (generally writing a large percentage of browser extensions) don’t consider compliance factors, further enhancing the risk.”

This is a concern for IT professionals and a way for attackers to access company resources through supply-chain attacks, according to Liel Ran, co-founder and CTO of SaaS security platform provider DoControl.

“The lack of visibility on the extension’s activity in combination with extended permission to Google Workspace APIs and company data, such as Google Drive, Gmail, and Google Calendar, make browser extensions an easy way for attackers to deploy and gain access,” Ran told Security Boulevard. “Most companies want to let employees be productive, but find it hard to maintain and review each Chrome extension.”

Extension Management is Key

Browser extensions can be as dangerous – or more dangerous – than third-party SaaS applications to business-critical data and increase the responsibility on administrators to manage and mitigate the risks in their organizations, he wrote.

Spin.AI isn’t the only cybersecurity firm to find problems with extensions. Researchers with Avast in June wrote in a blog post that they found 32 malicious extensions in the Google Chrome Store that had been downloaded 75 million times.

“The extensions’ functionalities ranged from adblocks, downloaders, and browser themes to recorders and tab managers,” they wrote.

Spin.AI has been banging the drum for better security around extensions. In May, the company announced it had partnered with Google to create a new Chrome Extension Risk Assessment capability in the Chrome Browser Cloud Management console.

The report this week “reveal that businesses must continuously evaluate extensions and SaaS applications, and the risks they pose in the environment, as risk scores can change over time,” Asatryan wrote.

He wrote that there are possible reasons for the number of high-risk extensions in Spin.AI’s evaluation, from the difficulty of assessing risk and the economics of cybercrime to confusion about what Google, Microsoft, and other vendors protect.

Developers Face the Highest Risks

Still, the risks are real. Spin.AI found that the extensions most enterprises used were to enhance productivity, such as Grammarly for writing assistance. However, the category with the highest percentage of high-risk extensions – at more than 56% – was cloud developer, such as Microsoft’s AI-based Copilot.

Among the risks that come with extensions are actions by malicious applications. In addition, some extensions collect sensitive information like banking details, login credentials, and authentication tokens, making them an attractive target for bad actors. The data could be compromised through permissions granted by users, according to Asatryan.

“More importantly, permissions can also be used together in a way that leads to greater security or compliance risks,” he wrote. An extension could obtain ‘identity’ permission and then use the ‘webrequest’ permission to send this information to a third party.”

Monitoring app permissions and understanding their combinations are key to reducing the risks from extensions.

Asatryan pointed to a situation in which a fake extension masquerading as a legitimate ChatGPT Chrome browser extension and installed by more than 9,000 users was advertised on Facebook as a way to help users improve their search engine using the generative AI tool. Instead, it was used to hijack Facebook accounts.

Google removed the extension from its Chrome Web Store, but by then the extension was used to steal login credentials of at least 6,000 corporate accounts and 7,000 VPN accounts.

He noted that unregulated ChatGPT extensions are rapidly multiplying. In May, there were 11 extensions for ChatGPT in the Google store. This month, there are more than 200.

Asatryan wrote that enterprises need to take a comprehensive approach to addressing SaaS security, including creating a real-time inventory of SaaS applications and extensions, conducting ongoing risk assessments, creating and enforcing policies using third-party management frameworks, and policy-based automated controls for allowing or blocking extensions and applications.