Home / Use cases / Malicious Browser Extensions

Malicious Browser Extensions

Browser extensions are widely used across enterprises to improve productivity due to their ease of installation and usage, making them a popular choice among employees. However, depending on the permissions granted, extensions can have significant control over a user’s data and browsing experience. This makes them a gold mine of information and a primary target for threat actors looking to compromise an organisation.

SquareX’s policy engine supports applying granular policies on browser extensions running on an employee's device. Enterprises can control which extensions are allowed or blocked based on various factors such as permissions requested, user ratings, download trends, installation type, and more. This level of control helps enterprises ensure that only trusted extensions are used, thereby enhancing security and protecting sensitive data.

Create a Whitelist of browser extensions

Browser extensions can supercharge the web applications that employees browse on daily. At the same time, they have high privileges that can put employee's data at risk if the extension is malicious or gets exploited. As best practice, admins can create a whitelist of permitted extensions, use the prompt 'Allow only the following extension IDs (...)' and include a list of IDs using the policy generator. The expected outcome would be:

Create a Blacklist of browser extensions

For convenience, admins can consider creating a blacklist of extensions that are strictly prohibited from the enterprise. Although this might not be as effective in keeping risky extensions at bay as a whitelist approach, the policy can be supplemented with other criteria-based restrictions, such as blocking newly created extensions or those with low user counts or rating/review counts. This combined strategy can help mitigate some risks while offering a more manageable approach to controlling extension usage within the organization. To create a blacklist, use the prompt 'Block the following extension IDs (...)' and include a list of IDs using the policy generator. The expected outcome would be:

Block extensions based on permissions

Extensions that require highly invasive permissions can be hazardous if they are exploited.. Google categorizes extension permissions based on risk levels: highest, high, medium, and low. With SquareX, Admins can prompt 'Block extension using high and highest risk permissions' using the policy generator to prevent employees from using extensions that are highly invasive. The expected outcome would be:

Block extensions with many negative reviews

Admins should consider blocking extensions with many negative reviews because such feedback often indicates issues with the extension, including potential security vulnerabilities, privacy concerns, or poor functionality. Negative reviews can signal that an extension may not be trustworthy or reliable, posing a risk to enterprise security. To do so, use the prompt 'Block the extensions with more than 30% negative reviews' using the policy generator. The expected outcome would be:

Block sideloaded extensions

Admins should block sideloaded extensions because these extensions bypass the official browser stores' security checks and vetting processes. Sideloaded extensions can introduce significant security risks, such as malware, data breaches, and unauthorized access to sensitive information. Without the scrutiny that comes with official store listings, sideloaded extensions may contain harmful code or vulnerabilities that could be exploited by attackers. By blocking sideloaded extensions, admins can ensure that only verified and trusted extensions are used, thereby enhancing the overall security posture of the enterprise. To do so, use the prompt 'Block sideloaded extensions' using the policy generator. The expected outcome would be:

Block extensions containing 'ChatGPT' on their name or description

Due to the advent of GenAI sites, extensions that make AI more convenient for numerous workflows has been introduced. However, extensions claiming to use ChatGPT might not be affiliated with the official OpenAI tool, leading to security and privacy risks. Such extensions could contain malware, engage in data harvesting, or provide inaccurate or harmful information. Admins can consider blocking extensions where the name or description contains 'ChatGPT' due to the potential for impersonation and misuse. To do so, use the prompt 'Block extensions with 'ChatGPT' in name or description' using the policy generator. The expected outcome would be:

Block less popular extensions

Browser extension with lack of rating or low user base can pose a security risk for enterprises. These extensions have not undergone any public scrutiny or detected by any scanner, making it difficult to ascertain their safety or reliability. Blocking such extensions is a preemptive measure towards users' privacy and security of the enterprise. Admins can prompt 'Block extensions with no users or no ratings' using the policy generator. The expected outcome would be:

Block specific extensions by their IDs

Depending upon internal policies, enterprises might decide to block access to certain products including browser extensions. For example, it's common for enterprises to have an anti-AI policy and to discourage usage of any AI specific product. An enterprise can easily enforce a policy to block specific extensions. Admins can prompt 'Block extension with specific id' using the policy generator. The expected outcome would be: