Discussing the Dangers of Web Extensions – Techstrong TV

Charlene and Ohad discuss the untold dangers of web extensions and where they’re headed in 2022. The video and a transcript of the conversation are below.

Recording:                  This is Digital Anarchist.

Charlene O’Hanlon:   Hey everybody. Welcome back to Techstrong TV. I’m Charlene O’Hanlon and I’m here with Ohad Bobrov who is the CTO and cofounder at Talon Cyber Security. Ohad so great to see you. Thank you so much for being here on Techstrong TV with me.

 

Ohad Bobrov:             Ok. Thank you for having me.

 

Charlene O’Hanlon:   You bet. You bet. So I’m interested in having a conversation with you about web extensions and cybersecurity issues thereof. But first I wonder if you could introduce us to Talon Cybersecurity.

 

Ohad Bobrov:             Perfect. So in Talon we are creating an enterprise browser. So basically we took Chromium which is open source of Chrome and a few other browser _____ and created enterprise version of the browser embedded with many enterprise security features like network inspection, isolation, etcetera and we are providing to enterprises around the globe. We are in –

 

Charlene O’Hanlon:   Ok.

 

Ohad Bobrov:             Around Asia and Africa.

 

Charlene O’Hanlon:   That’s great. I love the fact that you guys are really putting an emphasis on cybersecurity as it pertains to web browsers. And web extensions have been – they’ve been growing in popularity I’ve noticed. I mean everything these days seems to be a web extension to kind of make our lives easier. But to your point you guys are saying that they actually do kind of introduce a level of vulnerabilities that – well vulnerabilities are never a good thing. But I think with the number of web extensions that are out there these days we’re even more vulnerable than before. So why don’t you kind of walk me through what you guys are seeing in the space right now and kind of set the stage if you will to the level of vulnerabilities that web extensions do introduce?

 

Ohad Bobrov:             Right. So like you said so web extensions by nature are very good so we use them. So they prove value. We use them in many, many different applications and in general they approve our ability to do our job or to browse the web better. But with many other technologies it also poses different strengths. So as they become more and more popular and in general browsers become in very, very major applications specifically in the enterprise space. So they do pose different threats. So for example because they’re asking for excessive permission it can leave the user exposed to different active threats. And we see them in more and more places. For example in US in three years ago you couldn’t install web bay browser extension. But now it’s in Apple. You can also do it in Android. So we see them everywhere now.

 

So it is a growing threat. Specifically a few types of threats. One of them is because extension as for excessive permission. That will be because the developer saw that in the future he would try to ask for, he would try to have additional features. If someone was able to exploit this extension the back end of the actual extension on the device is able to collect very, very sensitive information because extension would be able to collect everything that you are doing on the browser. They can collect the password. They can collect a different credential from the actual site, a crypto wallet, a user data. Everything that you are using in the browser is accessible to the extensions.

 

Charlene O’Hanlon:   Well that’s pretty terrifying. Thanks very much. So what do we do then? I mean because they have become so popular. And frankly there are certain things that I like to do. I have a couple extensions on my web browser that I know and I trust. But without them I don’t think I’d be able to do my job as well or at least as quickly and as efficiently as I do or at least I think I do. But how can we protect ourselves? I mean are there certain things that people need to look out for when we’re looking at whether to add a web extension onto their browser? Are there certain maybe red flags if you will that folks should be aware of?

 

Ohad Bobrov:             Yes. So I think that as a personal user when you download a new extension you should have a look on the actual webpage, on the Com webstore for example. You should look how many downloads they’re generating. There is a specific comment that might indicate if something is not right. And later on it’s something that after you installed the extension you see that something is behaving a bit differently you should be aware of. In general like for any application that you download for your PC or to your mobile device you should download it from an official basis.

 

You should only – and you should only download the application if you trust the developer and you know what they’re doing. Specifically it’s more important for an extension like password manager, ok, that does have access to all the passwords that you use on your web browser, grammar connections because they basically read all the text that you’re using on the browser. And you should also review the permission because permission basically tells you what access the extension has.

 

Charlene O’Hanlon:   So are there ways that we can kind of limit what web extensions are able to do on the web and what they’re able to actually see? Because you did mention they are overly permissive, a lot of them are. So is there a way to kind of dial back that level of permissions?

 

Ohad Bobrov:             So unfortunately not really. Usually you are basically you can either approve it or don’t approve the extension. You can of course disable it at any moment. As I published a few weeks ago there are extensions that will flag as malicious but still you can find the core web store and you can still download them. So you should be aware of what the extensions are doing and try to limit your exposure.

 

Charlene O’Hanlon:   Well I feel like a lot of these web extensions are – a lot of them are very useful obviously to help us do what we do on a daily basis. But a lot of them are shall we say extraneous. They’re not really that useful for folks on a day to day basis. So would you suggest that organizations or individuals only use the web extensions that they know they’re going to get daily use out of an obviously from companies they trust or has it gotten to the point where even those web extensions that are offered by what we call kind of mainstream companies even those are kind of suspect these days. I mean we, are we looking at web extensions as kind of like an evil thing altogether.

 

Ohad Bobrov:             No. I wouldn’t go that far.

 

Charlene O’Hanlon:   Ok.

 

Ohad Bobrov:             So I think I think most of the developers and most of the extensions out there to make our lives better. But I do think that specifically for enterprises it does make sense to understand which extensions you’re having installed in your environment. And you can use external feeds, an external tool like ours to manage the extensions that the organization is using in their devices. The organization that’s doing it and only allowing certain extensions from a preapproved list of extensions that someone vetted and someone made sure that its ok. And like I would say it’s like everything in security. There is a line for visibility and security and each person in each organization needs to choose where exactly they want to be on this vertical.

 

Charlene O’Hanlon:   So do you think that web extensions should be allowed in an enterprise? Because for a consumer it’s one thing. If you download an extension that is malicious or contains malicious code you’re infecting your machine. But if you’re hooked up to the company network you potentially could infect the entire network and the infrastructure. So what would you suggest enterprises do regarding web extensions? Do you think that they should be allowed or do you think they should be allowed but with tight controls? What’s your advice?

 

Ohad Bobrov:             So I think that it should be allowed. I don’t think that they can imagine a work environment without any extensions. I think an organization should have control. I think that one of the threats that you can be exposed with extension is that because extension only exists in the browser many of the traditional endpoint security tools like antivirus and etcetera are not even able to identify which extensions are installed in the browser. And in many cases they will choose to use a _____ extension because all the interesting information is in the browser so credential, data and everything. But because they are not on the actual device so in many cases much harder to identify.

 

And to your question so I do think that organizations should allow extensions but with a certain amount of control. They should have someone to inventory which extensions are installed and to set the policy. So for example for password manager I would advise to an organization to choose one password manager that they trust and try to push it through the entire organization.

 

Charlene O’Hanlon:   All right. Well I think especially these days with so many folks who are working in either a fully remote or a hybrid remote environment it’s going to be more critical than ever that organizations understand exactly what their employees are doing with their computers and what they’re downloading. So I think having that level of control is a very good thing for organizations to consider. Are there any other kind of tips or tricks if you will or best practices that organizations should consider when it comes to web extensions?

 

Ohad Bobrov:             So I think that first of all it’s important to say that Google and the rest of the browsers or vendors are aware of the problem and they did try to implement a few security compliance notes to use their tech surface. So for example now it’s harder to install an extension not from the official web store. Ok? And they do try to introduce very few limitations to what extensions can do. And I think it’s a step in the right direction. It’s still not enough and we still, and you can still create pretty easily a malicious extension. But it’s a very small, it’s a step in the right direction.

 

Another thing that you should be aware of is that in many cases what the hackers are doing, they’re actually buying a proper extension and there are a couple of examples of that. And after they bought the extension, the owner of the extension they’re introducing a malicious version of the extension. And therefore attacking all the users that installed the extension to use it for legit usage. So we should be up to date in making sure that our browsers are not compromised.

 

Charlene O’Hanlon:   Interesting. Interesting. So you’re buying something that was legit and then all of a sudden it becomes not so legit. That’s not playing fair I will say. Yeah. But –

 

Ohad Bobrov:             I think they’re looking for the path of least resistance.

 

Charlene O’Hanlon:   Yeah.

 

Ohad Bobrov:             And if there’s a way to infect multiple devices and very, very quickly it’s very easy. One of the advantages from the hacker point of view is that extensions are being updated behind the scenes. So you wouldn’t even know that you now downloaded a new version which might contain a malicious piece of code.

 

Charlene O’Hanlon:   Well I have to tell you. I don’t obviously – I think I’m going to think twice now before I start downloading additional web extensions. And as I said before just stick with the ones that I know are on the level and are safe for me to use. But I think we’re going to see this problem actually get worse before it gets better. And I think raising awareness of the vulnerabilities that can be introduced through web extensions and the level of malicious activity that is happening with web extensions I think is going to help kind of hopefully help us secure our web browsers a lot better and maybe think twice before we download those web extensions. So thank you so much for having the conversation with me Ohad. It was great and I do appreciate you taking the time and being on Techstrong TV with me today.

 

Ohad Bobrov:             Ok. Thank you very much.

 

Charlene O’Hanlon:   Great. Thank you. All right everybody. Please stick around. We’ve got lots more Techstrong TV coming up so stay tuned.

 

 

[End of Audio]

 

 

Avatar photo

Charlene O’Hanlon

Charlene O’Hanlon is Chief Operating Officer at Techstrong Group and Editor at Large at Techstrong Media. She is an award-winning journalist serving the technology sector for 20 years as content director, executive editor and managing editor for numerous technology-focused sites including DevOps.com, CRN, The VAR Guy, ACM Queue and Channel Partners. She is also a frequent speaker at industry events and conferences.

charlene has 55 posts and counting.See all posts by charlene