In July 2019, researcher Sam Jadali discovered several extensions for the Chrome and Firefox browsers that collect browsing history and transfer it to a third party. Moreover, he found a platform where such data is bought and sold.
This may not set off any alarms. So what if someone finds out that one of your employees has visited a contractor’s website or even logged in to a corporate account in a social network? All the attackers get is the address. They can’t access any other information, so who cares? Well, these extensions periodically leak internal company data, and here’s how.
Links that reveal everything about you
The social networks and official websites of your contractors and partners likely do not divulge any secret information. You should be more concerned about “closed” pages, which are accessible only through unique links can be used to leak information. In reality, the only thing protecting these pages is their secrecy: Outsiders do not know their address. Here are several examples of such pages.
Suppose your company makes extensive use of Web conferences where employees from different departments discuss current plans, organize brainstorming sessions or simply receive information from management. Many platforms exist for conducting these types of conferences. For some, you need a key to participate, but small companies often use free or low-cost solutions that require only a link containing a unique meeting identifier that the organizer sends to all interested parties. This is all that is needed to allow a participant to join an event.
Now, imagine that one of the employees who received this link has an extension installed in their browser that siphons off information to outsiders. As soon as he or she joins the conference, this unscrupulous plugin sends its URL to a marketplace. An attacker who is trying to collect information about your company or is just looking for an opportunity purchases your employee’s browser history, from which he can see that one of the accessible meetings is taking place right now.
Nothing prevents the buyer of this link from joining the meeting. Of course, the other participants will receive a notification that someone has joined the event. But if several dozen people are attending and not all of them know each other, then hardly anyone will question who this unknown participant is. As a result, everything that is said during the conference will become known to the outsider.
Online invoices from suppliers
Your company’s suppliers might be using online billing services. For some services, payment invoices can be accessed using a unique link that is nevertheless publicly accessible. If an attacker has access to such an invoice, they can find out the name and address of your company and the supplier company, the amount paid, and other information.
It is true that in most cases nothing bad will happen if such information falls into the wrong hands. But for someone who employs social engineering, these invoices contain valuable information.
Many companies use online services such as Google Drive for collaboration purposes. In theory, they allow you to restrict access to files to prevent outsiders from opening them. However, not everyone establishes such restrictions on shared files. Often, anyone who has a link to a file can view and even edit the document.
And such a document may contain any type of information, from price quotes to the personal data of employees.
How to protect yourself from large-scale data leaks
To minimize the risk of such a leak, remind employees that they should exercise extreme caution before installing any browser extension, and also that if the online service they use allows it, they need to restrict document access before sharing. A best practice for management would be to approve a list of verified browser extensions and ban anything else as potentially dangerous.
In addition, conduct an analysis of the online services the company uses and identify those that allow access by link without requiring authentication. If a service allows access to anyone with a link, seek out a more-secure alternative.
Finally it is imperative to install a reliable security solution on every company computer to block any attempt to install a malicious extension, as well as other cyberthreats.