Review the permissions that browser extensions ask for?

If you're like most people, no matter how careful you are when you surf the web, you seldom think to review the permissions browser extensions ask for when you install them.  It's just one of those things that's easy to lose sight of, and unfortunately, hackers are aware of this.

That's why vulnerable extensions have become a newly emergent threat in the ever-evolving threat matrix.

Browser extensions can do things that simple websites can't. Enterprising researcher, Doliere Francis Some took a deep dive into the murky world of extensions and find out if it was possible that they could bypass SOP (Same Origin Policy), which keeps websites from different domains from sharing data.

Over the course of her research, she analyzed more than 75,000 Opera, Firefox, and Chrome extensions.  Although her research revealed that it was uncommon, she was able to confirm that in 197 cases, the answer was yes.

Mostly Chrome extensions

171 of the 197 instances she discovered were Chrome extensions.  That fact should not be seen as an indication that Chrome is inherently less secure than the other browsers, but is reflective of the fact that Chrome has vastly more extensions than the other two browsers included in her survey.

Based on Some's research, while this is a troubling discovery to be sure, it's not something you're likely to encounter or need to devote significant resources to guard against.  In fact, the simplest way to protect yourself is to prevent extensions from communicating with web pages at-will. Although be aware of the fact that this may cause some legitimate extension functions to stop working.

Our perspective

Of course, in a perfect world, browser vendors would do a far better job at analyzing extension behavior before making them available to the general public, but this is extremely unlikely to occur.  Again, it just isn't a common enough problem to throw a lot of resources at.

In any case, though, it's something to be aware of, and it's certainly worth checking the permissions of the extensions you're using. Or have your IT guy do it. Better safe than sorry.

The author

Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPia Blogs. I am also available at dwpia on LinkedIn, at dwpia on Facebook, and @dwpia on Twitter.

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT Support

Denis S Wilson

I am President and Principal Consultant for DWP Information Architects: specializing in managed IT support for smaller healthcare practices, clinics, insurance companies, law firms, and construction companies in Ventura County and San Fernando Valley. And have created cost-effective IT solutions, for over 20 years, specializing in cybersecurity and regulatory compliance.

I am also a published author and speaker, working extensively with organizations that include: the State of California, the Federal Bureau of Investigation (FBI), the Small Business Administration (SBA), SCORE, Women's Business Centers, and Small Business Development Centers. As well as providing small business technology education programs through business and professional associations.

Contact me if you would like me to speak at your meeting.

Meanwhile, check out this report

Executive Report: 10 Hidden IT Risks That Might Threaten Your Business