2023-10-07 –, Track 2
There are over 3 billion Chrome users across the globe, with nearly 200,000 active Chrome extensions available in the Chrome webstore. Chrome extensions have garnered increasing popularity and have become so ubiquitous due to their ease of installation, additional functionality, and customization options. The demand for sophisticated Chrome extensions has become a gateway for attackers to exploit browsers and sensitive information. According to industry data, there was an increasing trend to install malicious extensions, resulting in over 1,300,000 install attempts between 2020-2022.
With Chrome extensions possessing privileged permissions, attackers can not only get unauthorized access to high value data but can also change the browser behavior by injecting malicious code, leading to critical attacks like XSS and CSRF. Malicious extensions can exfiltrate data unbeknownst to the user, resulting in a breach of privacy.
No single Chrome security control can fully protect against all exploitations, but a layered approach has a proven success rate. Protecting against malicious extensions requires a multifaceted approach. Not only is a foundational knowledge of browser interactions necessary, but also an understanding of how the extension manifest dictates the permission, privacy, and security of an extension. Furthermore, additional layers to this pipeline should be default-deny, security extension analyzers, and leveraging browser isolation agents to investigate the extension behavior post-loading.
In conclusion, this presentation will cover the pressing security concerns surrounding Chrome extensions, inform of the present challenges of the available solutions, and highlight our company's innovative approach to mitigating these risks. By implementing robust security measures with enhanced control and monitoring capabilities, we aim to significantly reduce the threats associated with Chrome extensions, ensuring a safer and more secure browsing experience.
Aishwarya is currently working as a Security Engineer at Cloudflare, inc. Her passion lies in finding ways to improving the security posture of the application, bug bounties and automate security processes. She earned her Master of Science in Cybersecurity from George Washington University, DC and her Bachelor’s in Computer Science Engineering from Anna University, India. She enjoys mentoring budding security enthusiasts, and sharing knowledge to the security community by participating in meetups, hackathons, CTFs and contributing to open source projects. Apart from Security, she has an ardent interest in sports and finance side of things. So, if you spot her in your local cricket team or sports club, don’t get surprised :)
Samuel is employed as a security engineer for Cloudflare. He is a graduate of University of Oklahoma where he received a Master in Data Science and Analytics and Bachelor in Petroleum engineering. Samuel started his career as a security generalist in Oil and Gas, eventually moving his way up to Incident Response/DNR in the tech industry, ultimately finding his calling in security engineering. Samuel is a Security Engineer for Cloudflare where he leads the mobile device management security as well as builds automations and processes to secure enterprise systems.