- Disable User
- Posts
- Why extensions are a security nightmare, deep dive!
Hi and welcome to another Security weekly. Where we laugh, we cry and share the latest and greatest in security and tech news.
Did you know? Children ask about 300 questions per day. That's about half as much as the average IT end user.
In this week's edition:🎢 Why extensions are a security nightmare - Deep dive🔥 the quick and dirty
Reading time: 03:31
Why extensions are a security nightmare - Deep dive
Last year I saw a lot of articles about extensions causing trouble. Browsers, app marketplaces, .. you name it.I think people often underestimate the dangers that lurk there, so I decided to write a Deep dive about it.Not Mariana Trench deep, but like the-last-Pringles-in-the-can deep
Ok, who here can tell me why extensions are a security nightmare?
I hear "hard to control from an IT point of view" - good point.Yes, also "extension marketplaces are often managed poorly", solid point.
Anyone else?
"Users randomly click everything some person online advises them without thinking about the possibilities"Wow, buddy, chill out. Are you implying even the brightest people lose all sense of intellect when they're behind a computer? That's a strong opinion.
Let's start off with the obvious, what classifies as an 'extension'?
In IT we know two things as extensions:
The OG is probably the 'file extension' - for example: .doc, .xls, .html, .txt, ...
The one we're going to talk about is Browser and Marketplace extensions - probably the most famous one being AdBlock or AdBlock plus
A browser extensions is a small piece of software you can 'add' to your browser, extending the functionality. Often handy tools that can make your life a lot easier.The downside is, they're granted special permissions. Making it an attractive target for attackers.Not like super power special, more like Ralph Wiggum special.
So what's the problem? Users without admin rights can't install them.
That's where the "hard to control from IT point of view" comes in.Because the browser was installed under admin control.. wait. What? You don't need admin rights to install a browser?
That's right kids.
So, first problem.Users can install browsers (yes, I'm looking at you Chrome) without admin rights. Because the browser install to a User application data folder, no admin rights are needed.From there, they can install extensions.But, let's say we have trained our users well, and they don't install software randomly (I know, sounds very unlikely). Even then are they able to install extensions without admin rights.
So what do you mean by stores being "poorly managed".
Well, I'm not really pointing fingers here. But there isn't much done about the malicious extensions by the "Store owners".Both Microsoft and Google run Stores for their extensions, with little to no publisher verification.
Often anti virus companies like McAfee and Norton find out about malicious extensions, and then report them.The extensions are deleted, but there are no controls in place to stop the attackers from making a new account and re-upload something similar.
The difficulty lies within finding balance. On one hand they want to make it easy for creators to publish useful tools, but that shouldn't be at the expense of security.
There are some who do it better though. For example the Apple App store has very strict publication rules, making it very difficult for threat actors to install malicious apps.
Big boss tell me, what can I do?
For the admins out there:
If you control a Windows environment, there are Group Policy's to block installation to the User application data folder.
Roll out browser management options - with the rise of endpoint management software (Ninjaone, N-able, Intune, ...) there are also a lot of options to limit or forbid the installations of Browser extensions.
Train your user awareness - and keep doing it. This isn't a one-night stand.
That last one comes with a warning though. Rolling out restrictions in a user environment will make you about as popular as that one guy at the party that ate garlic sauce for dinner.
For the users out there:
Don't install everything some random dude on Twitters says - yes, some things might be handy. But be careful.
Only install from trusted publishers - If you really really reaaaallly want the extension, do some research. Check the publishers site, check the numbers of downloads and the rating.
Check the permissions - That one extensions that tells you what RBG # that color is, doesn't need permission to your browser history. Right?
The quick and dirty
Microsoft script recreates shortcuts deleted by bad Defender ASR rule - Sounds good, doesn't work.
Russian hackers are trying to get the worst out of ChatGPT - After animal abuse, soon you'll be charged with AI abuse.
Norton LifeLock says thousands of customer accounts breached - and another one bites the dust
Meme of the week
I've finally found it...after 15 years 😅
#meme#appsec#cybersec
— Bright (@BrightAppSec)
8:00 PM • Jan 16, 2023
Security like I'm five
Don't have time for hours of research? Don't have 20 years of experience in security? Me neither, but I gotchu fam.In Security like I'm five I cover a range of security topics. I do all the hard work, and explain it to you in a practical matter. Lot's of meme's too. Good stuff, good stuff.This and Security weekly conveniently delivered to your mailbox a couple of times a week, for free.Pretty sweet deal if you ask me.
So sign up for the newsletter and be enlightened! (don't set the bar too high tho)