By Daniel Guermeur
Cybersecurity is hard to achieve. Computers are full of holes. Some websites open false security alert popups, tricking users to do something that will compromise their computer.
Once it is infected, there are virtually no limits to stealing data with the possibility of impacting users and their organizations.
Schools are primary targets because their limited budget calls for a streamlined IT department that can have a hard time keeping up with always evolving security practices.
In this article, we describe a family of small apps that represents a major cyber threat to individuals and organizations. They live inside browser applications, and they are called browser extensions. They are available for all major browsers, such as Chrome, Edge, Firefox and Safari.
Someone Else Is Reading Your Webpages and Sees Everything You Type
This is probably one of the most insidious and yet least known issues. Browser extensions can read the content of web pages, including what a user types (e.g. Gmail password). They can also change page content and read passwords, credit cards and phone numbers.
The irony is that users install extensions themselves. They are available in the Apple app store, Google Chrome store, and so on. Examples of extensions are “enhanced” search capabilities, online deals (e.g. the extension monitors what product is displayed on the current page and pops up a “deal” for the same product from an affiliate network).
Software programmers like to install JSON formatter extensions that “prettify” JSON code (a programming data transfer format). Others like to have a handy “double-click any word” to see a dictionary definition.
Again, all these extensions can read web page content, read passwords, credit card information.
It’s always a good idea to use products from reputable companies. However, software is complex and even the biggest, more skilled companies with thousands of software engineers and hundreds in their security teams make mistakes.
What to Do with Browser Extensions?
IT departments should lock down browser settings to disable unwanted extensions. In any case, users should reduce their surface attack by reviewing, disabling, uninstalling or configuring their browser extensions. For example, Chrome allows users to activate extensions ‘on click’ or only for specific sites.
Security is not convenient, and people like convenient things. Convenience always wins. This is why people and organizations are at risk because security is hard.
Security requires paying attention, curiosity, learning and lots of clicking. Yes, security slows us down sometimes. There is a cost to being more secure. We need to constantly learn new software, stay informed, install software upgrades, etc. That’s real work.
Who Can Keep Up?
It’s hard because there is no end to it. But we have to do it and we need to get good at it. We all are part of a team, part of a family, part of large and small organizations.
Problems will come from a weak link. One weak link and the whole system goes down, maybe along with your savings, your job, your reputation, and your organization.
Schools IT departments should constantly inform their users with small bite-size articles that are easy to understand.
Browser extensions are open backdoors that no firewall can protect. And right now, as you read this, it could be a good idea to review the extensions that are installed in your browser. Yes, right now; it takes only a minute.
Daniel Guermeur is the founder and CEO of Mojo Helpdesk, a ticket tracking web application used by over 2M users, including leading educational institutions, www.mojohelpdesk.com.