Following the news that researcher Sam Jidali has uncovered “DataSpii”, a massive data leak revealing private information for 45 major companies and millions of individuals, Boris Cipot, Senior Security Engineer at Synopsys offers the following commentary.
Boris Cipot, Senior Security Engineer at Synopsys:
The best way to prevent the risk coming from browser extensions is to never allow installation of extensions as default, rather to have a list of allowed extensions that users can install or have IT install them if needed. Doing so can limit the scope of the applications they have to keep track of and in the event a vulnerability is announced, they can take measures to stop the problem in time.
In order to mitigate this threat, organisations should make sure they check all employees’ machines to find out which ones have the malicious extensions installed, and then remove them.
It is also advisable to look for the actions and URLs listed in the researcher’s article, to make sure that there aren’t still parts of the extension active and still (after the removal attempt) sending data to their target data collection servers. Try to monitor all communications, identify the ones going to the malicious servers, and stop them. Be on the watch for other weird data connections, as there might be other extensions with the same bug.
It is important to treat extensions just like any other piece of software. Make a list of allowed software and their extensions, and monitor the developments and vulnerability notifications of all of them. If any threat materialises, you need to be able to block or uninstall this piece of software from the users’ computers, either by policy invocation or through another software that takes care of your installed software packages on user machines.
The guiding thought would be that every piece of software you install (be it apps or their extensions) will need to be continuously monitored. By keeping a close look an all potential entry points, organisations can have the peace of mind of knowing when the application may need patching, updating or removing. You need to be in control.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.