TL;DR: It may not be in your threat model, but browser extensions may present a significant threat depending on the business. Currently, the security responsibilities and capabilities are mostly in the browser’s extension store. In order to be able to manage this risk, IT and security professionals have to use scanners with parsers for each browser extension model. However, A standard extension management API could improve the ecosystem.
- Historical Context of the Browser Ecosystem
- Security Implications of Browser Extensions
- What can we do
Historical Context of the Browser Ecosystem
-webkit- for Chrome and Safari, and
The reason I started with the historical context it to mention the lack of standardization and the causes of it. The history of the browser ecosystem teaches us about the delicate balance between innovation and standardization, and the unintended consequences that can arise when that balance is upset. The competitive drive for new features has sometimes overshadowed the need for security and interoperability, leading to a fragmented landscape that complicates cybersecurity efforts.
Security Implications of Browser Extensions
But that was not the end. Because addons, extensions or plugins, however you name it, are here to exist. Browsers are improving themselves as a new layer of virtualization through the sandboxes. Yet, isolation between the the applications in the sandbox and the operation system does not apply to these extensions. Depending on the permissions, the extensions can access and modify resources in and/or out of the sandbox. Just like any package manager, the security responsibility relies on the repository providing the distribution environment, such as Chrome Web Store or Addons.mozilla.org (AMO).
What can we do?
At present, organizations employ various methods for managing browser extensions, often relying on group policies or vendor-specific solutions. While these approaches offer some control, they are inherently limited by their lack of standardization and are not universally applicable across different browsers and platforms. Given the aforementioned security landscape, there is a compelling case for the development of a standardized API for browser extension management. Such an API would facilitate a unified interaction model, enabling Configuration Management Databases (CMDB), Endpoint Management, Mobile Device Management (MDM), and Endpoint Detection and Response (EDR) systems to interface with browsers in a vendor-agnostic manner. Importantly, this API should extend beyond mere inventory querying by giving way to different integration methods, as primitively demonstrated by this proof of concept application which makes use of CRXcavator by DUO security. You can find similar applications such as neto and ExtAnalysis focusing only on this aspect while many security and IT asset management software implements the same feature. Think of the wasted manhours tying to replicate the same simple task all around the world! By saving these hours, A standard API should encompass a comprehensive set of management functionalities, akin to package managers like
yum, but with additional security-focused features.
It’s worth noting that not all organizations share the same threat model; thus, the absence of a standardized API may not constitute a significant risk for many. However, the proposal aims to elevate the security maturity of the broader ecosystem and could be integral to the threat models of numerous organizations.
The history of browser development has been characterized by a tension between innovation and standardization, often at the expense of security. As browser extensions become increasingly integral to user experience and productivity, their potential as attack vectors grows correspondingly. A standardized API for managing browser extensions would not only streamline administrative workflows but also fortify the security posture of organizations. While the endeavor is challenging, given the historical context, it is a necessary step towards a more secure and manageable browser ecosystem.