Q&A with Davit Asatryan, Director of Product, Spin.AI: Navigating the web safely during the festive season

During the holiday season, online activities increase significantly as people shop, plan travel, and socialize. This uptick in digital engagement also brings a heightened risk of security breaches, particularly through browser extensions. Whether at home or at work, understanding and mitigating these risks are essential for a secure online experience.

To understand the risks, it’s important to first understand that the landscape of browser extensions is vast and varied, with marketplaces like Google Marketplace and Microsoft Edge add-ons offering hundreds of thousands of options. Obviously, not all extensions adhere to stringent security practices, and there are many extensions that are available from sources outside official channels.

For corporations, the variety and volume of extensions poses a significant security threat, and it's not uncommon for a large company to have hundreds or even thousands of extensions installed across employee workstations, many of which may not meet ideal security standards.

During the holidays, certain categories such as Shopping, News & Travel, and Social & Communication are more frequently used, and unfortunately, they often contain a higher percentage of risky extensions. A comprehensive and ongoing evaluation of these extensions is necessary to identify potential risks across various dimensions like operational integrity, security vulnerabilities, privacy concerns, and compliance issues.

Potential vulnerabilities may include excessive permission requests, code vulnerabilities, lack of updates, and unknown or questionable origins. Any of these vulnerabilities could provide a bad actor access to extensive user data, including browsing history and personal information.

To ensure a safer digital environment, individuals and companies should be extra cautious when using extensions around the holidays. Choose reputable extensions, avoid using work devices for personal activities, keep security settings updated, and be aware of the extensions' potential risks.

What are the main security concerns with browser extensions during the holiday season?

Asatryan: The main concerns with browser extensions include potential security breaches, privacy issues, and operational and compliance risks. Extensions in popular categories like Shopping and Social & Communication may request unnecessary permissions, have unresolved code vulnerabilities, and lack recent updates, making them a potential security risk.

How significant is the issue of risky browser extensions in corporate settings?

Asatryan: Risky browser extensions are a notable concern in corporate settings. Large organizations often find a wide array of extensions installed across employee workstations, many lacking in proper security standards, thereby posing a risk to corporate data security.

For example, we recently found a company with ~2,000 employees had 1,642 different extensions installed in their environment, which shows you just how ingrained browsers are to the corporate ecosystem.

What factors contribute to a browser extension’s risk level?

Asatryan: Factors contributing to the risk include the level of permissions the extension requests, the presence of code vulnerabilities, the frequency of updates, and the transparency about the extension's origin and development practices.

What steps can be taken to protect against risks posed by browser extensions?

Asatryan: To effectively mitigate extension and SaaS app risks, businesses must adopt a comprehensive approach to manage the entire risk lifecycle. It involves effectively discovering all extensions and SaaS applications connected to the environment and which can access which data.

It also involves proactive, continuous risk assessments of all connected extensions and SaaS apps. Finally, as risk may change over time, organizations must leverage automated risk assessments and modern cybersecurity tools to eliminate the threat.