- In a web-based application environment, the browser can be the attack vector.
- Extensions and add-ons make working life better, at a potential price.
- Is an answer to use LLMs to scan extension/plugin code?
The National Security Agency states that browser extensions (sometimes referred to as plug-ins) expand an enterprise’s attack surface and can put the organisation’s data at risk. But as is often the case in cybersecurity, teams governing the organisation’s end-user fleet have to tread a fine line between allowing extensions that employees find useful (and are sometimes irreplaceable) and shutting off access to browser extensions by default.
There are various shades of grey appearing between the black and white of free-for-all and a complete ban, of course, and many solutions adopted by IT teams rely on operational detail: a user might request to use a particular extension, for example, and may be allowed to install it after appropriate vetting. The big technology vendors offer various platforms on which decisions can be taken, such as Google Chrome Enterprise, which lets administrators control the extensions allowed on Chrome, and Microsoft’s InTune, which can set policies for Edge browser installs, with admins controlling fleet policies via Active Directory.
The facilities to approve or deny individual browser extensions exist, but it’s the assessment of browser extensions that can be problematic. Administrators might assume that if an extension is popular (Grammarly, LastPass, Dark Reader are up there among the top ten), then it will have been checked over by others fairly comprehensively in the past. Sadly, the more popular a piece of software is, the greater the potential rewards to any bad actor exploiting it successfully. Good reviews, popularity, and even ubiquity are not part of the security equation.
Open-source extensions have some advantages over those developed proprietorially by private companies in that the former’s code can at least be examined by security teams. If there’s no opportunity to see the code that’s to be added to a browser, IT teams have no choice but to take veracity on trust.
Lessons from Mythos
The appearance in the headlines of Anthropic’s Mythos offering has brought back into focus the ability of large language models to discover – with varying degrees of definition and success – potential software flaws (although cybersecurity professionals have been aware of LLMs’ abilities to do this for several years). Researchers reacting to the hyperbole of the Mythos announcement were quick to note that many of its discoveries could also be made using small, downloadable LLMs, and a suitable prompting framework.
It may be likely that the long-term pattern of LLM use in general will be based on small, dedicated models running on-premise, and security teams may be no exception. A recently-surfaced example of how the setup might be manifest comes in the form of . It’s a platform developed on the back of the research interests of its author, Gherardo Fiori, developed – as so much software is – to scratch an individual’s itch.
At, users can upload any extension, either as a .crx/.xpi or reference to its listing on the Firefox Addons, Chrome Web Store, Edge Add-ons sites or equivalents, and have it scanned for potentially harmful or unwise behaviours. Although limited in scope at present (the author is considering currently whether or not to commercialise the project), it serves as an example of the path that IT security teams might take to reduce the attack surface of the enterprise fleet’s browser extensions.
The cybersecurity function in enterprise organisations is not only held responsible for any incident that proves deleterious to the company, but at the same time has to ensure the tools the workforce demands to use are as safe as possible. AI’s nascent use in software development appears to be emerging in some contexts as one of the technology’s minor success stories. Machine learning’s next niche may be in part of cybersecurity operations as a genuinely useful tool.
(Image source: “Peep Show” by jurvetson is licensed under CC BY 2.0. )
Want to experience the full spectrum of enterprise technology innovation? Join TechEx in Amsterdam, California, and London. Covering AI, Big Data, Cyber Security, IoT, Digital Transformation, Intelligent Automation, Edge Computing, and Data Centres, TechEx brings together global leaders to share real-world use cases and in-depth insights. Click here for more information.
TechHQ is powered by TechForge Media . Explore other upcoming enterprise technology events and webinars here .
