Browser extensions leave enterprises open to attack
Despite being present on virtually every employee's browser, extensions and plug-ins are rarely monitored by security teams or controlled by IT and a new report shows that could be leaving enterprises at risk.
The study from LayerX Security combines statistics from real-life usage data from enterprise users, with data available from public extension stores to reveal how organizations and employees interact with extensions, the associated risks and security blind spots.
The report finds that 99 percent of enterprise users have at least one browser extension installed. More than half (53 percent) have over 10 extensions installed in their browsers. This widespread usage means almost every employee represents a potential attack vector.
More worrying is that 53 percent of enterprise users have installed extensions with 'high' or 'critical' permission scopes. These extensions can access cookies, passwords, browsing data and more, meaning that enterprise users are at a higher risk of exposure.
Over 20 percent of enterprise users have a GenAI-enabled browser extension installed. These can bypass corporate GenAI access controls and gain privileged access to sensitive data at twice the rate of other extensions. 58 percent of these GenAI extensions have 'high' or 'critical' permissions, such as cookies, identities or scripting at twice the average rate of all other extensions, making them a particularly large risk.
"Browser extensions have quietly become one of the most overlooked threat surfaces in enterprise environments," says Or Eshed, CEO and co-founder of LayerX Security. "Our latest report shows that extensions are not only everywhere in the enterprise, they're also highly privileged, largely unvetted and often tied to anonymous publishers probing a risk to security leaders that they no longer afford to ignore."
Part of the problem is that many extensions don't get updated. 51 percent of all extensions haven’t received updates in over a year. Of those, 25 percent are published by developers identified only by a free webmail account, raising the possibility that these are 'hobbyist' extensions that have been abandoned.
How well an organization can trust an extension often depends on the reputation of the extension publisher. However, 54 percent of extension publishers use a free webmail account, and 79 percent have only published a single extension. Also, 22 percent of extensions are less than six months old. With little-to-no information to go by to establish credibility, establishing the trustworthiness of extensions is virtually impossible.
You can get the full report, which includes recommendations for keeping the organization secure, from the LayerX site.
Image credit: jpkirakun/depositphotos.com