Researchers at Awake Security have discovered a new spyware effort, which has attacked users through 32 million downloads of extensions to Google’s market-leading Chrome web browser, according to Reuters. This highlights the tech industry’s failure to protect browsers as they are used more for email, payroll and other sensitive functions. Most of the free extensions purported to warn users about questionable websites or convert files from one format to another. Instead, they siphoned off browsing history and data that provided credentials for access to internal business tools. Based on the number of downloads, it was the most far-reaching malicious Chrome store campaign to date. Alphabet Inc’s Google said it removed more than 70 of the malicious add-ons from its official Chrome Web Store after being alerted by the researchers last month.
For any enterprise, keeping a website secure involves a number of moving parts. There can be many third parties involved, from the content platform to the eCommerce engine, and it only takes one of those to be less than rigorous in cybersecurity for vulnerabilities to emerge. When users start downloading extensions and add-ons, such as this recent Chrome incident, then this vulnerability only increases.
So enterprises need to be very selective with the third-parties they work with, choosing only those with true enterprise-grade cybersecurity, and also give strong guidance to users as to which extensions they should use and where they should get them from. Extensions are the lifeblood of innovative platforms, although some are certainly safer than others.
Browser extensions can be extremely useful and come with thousands of benefits – but you should remain cautious when you download anything to your machine. Being vigilant about extensions usually means reading the reviews but, in many cases, this still won’t be enough as some may not be legitimate especially as most browser extensions are free.
There are, however, ways to stay more careful when downloading third party extensions. Usually, they will ask for permissions to be granted for access to data or other information on your machine, which I recommend you don’t give. Google can’t ever guarantee 100% security on all of their third party add-ons so you must be careful.