Browser Extensions in the Enterprise

Browser Extensions in the Enterprise 

The web browser is the most important enterprise application, as it’s the common access point for other enterprise applications. Today, most organizations use a consumer browser, the same browsers that are freely downloaded by billions of users at home. The design constraints required to serve the consumer market mean an extreme range of flexibility and open access. Recent events showed how the open nature of the browser extension framework can be exploited by bad actors and leveraged to hijack sensitive data. 

The Cyberhaven Incident

On Christmas Eve 2024, Cyberhaven fell victim to a targeted phishing attack that targeted an employee with admin access to the Chrome Web Store. The phishing email linked to a genuine Google domain, showing an OAuth consent page for a malicious application that was controlled by the attacker and used the Chrome Web Store API to upload and publish a new malicious extension (version 24.10.4). This update was capable of exfiltrating sensitive user data, including authenticated sessions and cookies, to an external domain controlled by the attackers. The malicious code was active for approximately 25 hours before being detected and removed by Cyberhaven's security team on December 25, 2024. 

Wider Impact on Chrome Extensions

This incident was not isolated to Cyberhaven; it was part of a broader campaign targeting various Chrome extension developers. Security researchers found over two dozen Chrome extensions were similarly compromised, potentially affecting over 2.5 million users. Extensions like Internxt VPN, VPNCity, Uvoice, and others carried malicious scripts that could steal sensitive data. The attacks primarily attempted to harvest data from users interacting with platforms like social media for advertising purposes. Read Island’s technical analysis of the situation here. 

The Challenge with Browser Extensions 

Browser extensions add functionality and capabilities, often aimed at productivity and workflow automation. The Chrome Web Store currently hosts over 200,000 extensions, and most are for a consumer audience. The extension framework on consumer browsers is designed for a quick and easy process to add extensions, with only a few clicks. 

To protect users, extension publishers must declare which permissions are to be granted and give the user an opportunity to review. However, it’s unreasonable to expect that the average user has the context to carefully evaluate these declarations and the associated risks that each of those permissions carries. The same capabilities that make extensions a powerful productivity and automation tool can be exploited to push spam, harvest personal details, or even exfiltrate session tokens and passwords. 

Areas where browser extensions introduce risk:

Excessive Permissions:
Many extensions request broader access to user data than strictly necessary, allowing them to collect sensitive information and perform actions beyond their intended functionality. For example, an extension with the WebRequest permission on all URLs can observe and modify all network requests coming from the browser. 

JavaScript Vulnerabilities:
As extensions are built using JavaScript, they are susceptible to common web vulnerabilities like Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and unintended script execution.

Lack of User Awareness:
Users often grant permissions without fully understanding what they are allowing an extension to access.

Outdated Extensions:
Extensions that are not regularly updated can have unpatched vulnerabilities that attackers can exploit. In June 2024, Chromium released manifest V3 to improve the security and performance of the extension ecosystem. Six months later, more than 81,000 extensions still haven’t been updated. Continued use of the deprecated manifest V2 is particularly susceptible to malicious activity by rogue background services and remotely-hosted code.

Malicious Developers:
Some developers intentionally create extensions with malicious code to steal data or track user activity. 

Difficult Detection:
Because extensions are embedded within the browser, their malicious activity can be harder to detect than standalone applications.

Extension Ownership and Origination:
‍An extension may begin its life as a harmless resource designed to provide a specific function and build a trustworthy reputation. But if control of the developer account changes, the extension could evolve into something more risky or even malicious. 

Enter the Enterprise Browser 

The enterprise differs from the consumer market and deserves a browser designed for the workplace. This is why Island created the Enterprise Browser and the Island Extension. By focusing on the needs of practitioners and the enterprises they serve, the Enterprise Browser and Island Extension are built with a fundamentally different design from consumer browsers: 

• Every user is authenticated with enterprise credentials 
• A management control plane gives administrators control over policies and settings 
• Last-mile controls protect sensitive applications and data movements   
• Critical browser activities are audited, while respecting personal privacy 
• Browser extensions are evaluated for risk and managed by the organization 
• The Enterprise Browser’s secure-by-design architecture protects against browser attacks, including local attacks 
• The Enterprise Browser protects cookies and session data with unique encryption 

Extension Ecosystem Risk Assessment for the Enterprise 

The needs of an enterprise environment differ wildly from that of a consumer audience. Thus, when consumer browsers are used in an enterprise context, their capabilities simply do not meet the need. The lack of extension management in the consumer browser space clearly leaves a wide opening for malicious attackers targeting the enterprise. As we saw recently, even a trusted extension from a reputable vendor can be hijacked and replaced with a malicious version. 

The solution is not to reject browser extensions wholesale, but rather to allow the enterprise to embrace their usage while applying scrutiny and controls over the extension framework. Island brings the entire browser platform — including extensions — out of the consumer context and into enterprise control. 

Extension Risk Scoring
‍Island evaluates every extension published on the Chrome Web Store and analyzes its risk impact. This is based on criteria such as the permissions an extension requires, the source/developer of the extension, its time in market, its behavioral history, extension reviews, and more. This analysis covers each extension version, so it can detect and alert if an extension changes its risk profile. 

Administrators can view the risk profile for every extension present in their environment, and evaluate new extensions in the extension library that mirrors the Chrome Web Store. Island automates this process to ensure near real-time response as extensions evolve or new ones arise. Island researchers are actively participating in the ongoing discovery of compromised extensions, contributing to the real-time threat research being done by the cybersecurity community. 

‍

‍

Extension Management
‍Organizations use Island to define their enterprise policy for browser extensions and enforce controls to limit risk. This can include allow or block lists, automatic extension installation, and managed settings to configure extensions. In addition, Island Extension Guard can selectively disable extensions when accessing sensitive applications, offering maximum flexibility while minimizing enterprise risk. 

Browser Protections 
‍Island protects every browser session against the type of malicious attacks that are often employed by abusing the extension framework. Sensitive browser data like session tokens and cookies are protected with unique encryption to prevent exfiltration. Browser mechanisms often used in exploits, like developer tools, debug mode, and headless mode, are all disabled by default and managed by policy. This limits the potential for attackers to shift laterally, or extract sensitive data from the browser, even in a situation where a malicious extension is present. 

Workflow Protections  
To protect the developer side of the extension equation, Island can protect critical workflows like accessing the Chrome Web Store and publishing new extensions. An organization can apply browser enforcement to require Island for any interaction with the Chrome Web Store, then add additional protections like an independent MFA challenge or an approval workflow. These practical steps minimize the risk of a rogue employee or a phishing attack that targets the extension ecosystem supply chain. 

‍

‍

Flexible Deployment
The Island Enterprise Browser is the ideal workspace for enterprise use. But organizations need to protect their full browser deployment which may include other consumer browsers such as Chrome and Edge in their environment. By deploying the Island Extension to those browsers, IT and security teams gain full visibility of their entire browser estate and all browser extensions. Island licensing is user-based, so customers can deploy either the Enterprise Browser or the Island Extension as their situation dictates.  

Enterprise Requirements need Enterprise Capabilities 

The browser is at the center of most enterprise application workflows. Consumer browsers, while freely available and widely deployed, are designed for a fundamentally different usage pattern. Browser extensions and their potential for malicious abuse highlight how enterprises need more capabilities than the standard consumer browsers provide. 

Island, the Enterprise Browser, offers a complete solution that brings browser extensions under enterprise control and protects the full browser experience. With dynamic extension risk scoring, managed policies, and enhanced browser protections, Island empowers IT and security teams to safeguard sensitive data and maintain operational integrity. These protections extend across the full browser estate with the Island Extension, ensuring consistent visibility, controls, and protections. 

Sometimes, changing one thing changes everything.