Extremely Useful Yet Significantly Risky: Browser Extensions and Data Exfiltration


The threat of data exfiltration is a significant one for any organization. Every business has sensitive data that needs to be protected, whether it’s research and development data, employee records, or the personal data of customers.

In recent years, data security has been receiving a large amount of attention around the world. The number of data breaches that are being reported on a regular basis has drawn customer attention to the types of data that companies are collecting and caused discontent with the organizations’ inability to protect this sensitive information.

As a result, legislation like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have been enacted to incentivize organizations to take the proper measures to secure their customers’ sensitive data. By expanding the scope of protected data, the actions (or failures to act) that can be penalized, and the amount that organizations can be penalized for a breach, these laws have provided ample incentive for any organization to take steps to secure their sensitive data.

In order to properly protect their data, organizations need to be aware of the potential sources of data leaks and the risks associated with them. One source of leaks that continues to appear is browser extensions.

Browser Extension Security

Browser extensions, as their name suggests, are designed to extend the functionality of a browser. They work a lot like apps on a smartphone: you have a system with basic functionality (a smartphone/web browser) and you can install applications designed to perform certain tasks. Browser extensions can be extremely useful; however, they also can pose a significant security risk. Like applications on a smartphone, browser extensions can be granted certain permissions within the browser. Also, like smartphone apps, browser extensions can then abuse these permissions to steal sensitive information out of your browser and send it to cyber criminals.

When dealing with browser extensions, it’s important to check the permissions that it requests. Chrome labels permissions based upon their level of access and danger, and installing extensions that request many or dangerous permissions can be extremely risky. Even ignoring deliberately malicious browser extensions, some legitimate extensions have been known to be compromised and then modified by the hacker to steal sensitive data.

Browser extensions can be extremely useful to an organization by allowing built-in password managers and PDF reading in the browser. However, organizations should also develop and enforce a policy that limits allowable browser extensions to help protect against the use of malicious ones for stealing and exfiltrating sensitive information.

The DataSpii Scandal

A recent scandal relating to the use of browser extensions has recently been reported by Sam Jadali of Security with Sam. This security issue is named DataSpii and deals with malicious behavior from several different Chrome and Firefox browser extensions, including HoverZoom, SpeakIt!, FairShare Unlock, PanelMeasurement, and others. All of these extensions have at least half a million users, including employees of Fortune 500 companies.

These browser extensions are developed by an unnamed company (called Company X in the report) and designed to provide insight into the operations of users of the extensions. Customers of Company X sign up to receive (supposedly) anonymized information on the browsing habits of the plugin’s users, including URLs visited, information about the operating system and software of the user’s computer, and internet connection information (ISP, city, state, etc.).

One implication of sharing these URLs is the potential for breaching sensitive data embedded in them. Some organizations use URLs to carry data to and from a website. While Company X tries to anonymize this data, some leaks through, which can include names for flight reservations or location data for ridesharing services like Lyft or Uber.

While the sharing of links visited by browser extension users is bad enough for privacy, the scope isn’t limited to the ability to extract browsing habits. With the growing use of cloud-based document storage and communications, URLs have become increasingly sensitive. For example, a Google Doc can be marked to allow sharing with anyone in possession of the URL, and many conference calling applications (like Zoom) allow participants to join the meeting by browsing to a meeting-specific URL. Subscribers to Company X’s service (which is available via a limited free trial) will be able to see these unique URLs visited by users of the plugin. This allows the subscribers to view potentially sensitive internal documents or even participate in video calls internal to the company or with strategic partners.

Is anything safe?

Well, we all use trusted services on a daily basis for our marketing and business needs including web development, mobile app development and even Magento Website Development but where do we draw the line in terms of data protection. The CEO and Owner of a Web design London organisation claims that his business suffers from reluctance from consumers when it comes to sharing sensitive data. He also says being a trusted London SEO service provider isn’t enough for locals anymore.

Implications for Data Security

Browser extensions occupy an extremely trusted yet often overlooked position in an organization’s data security strategy. A large amount of sensitive data passes through an employee’s browser, but the potential for this data to be stolen is often overlooked in favor of securing major databases and other obvious stores of sensitive information. As a result, malicious extensions like those described in the DataSpii report have the ability to subtly grant hackers access to an organization’s internal data and communications channels. In order to develop an effective data security strategy, a company needs to be able to identify and close all potential sources of data leaks. This requires a data security solution capable of comprehensive data discovery and monitoring. Otherwise, something as simple as installing a malicious browser extension can be the cause of the organization’s next massive data breach and significant penalties under new data protection regulations.

Don't Miss