Did you know attackers can inject extensions into your employee machines in even of a compromise of their account? Look into controlling this in Edge and Chrome. - ThreadSky

swiftonsecurity.com • 201 days ago

Did you know attackers can inject extensions into your employee machines in even of a compromise of their account? Look into controlling this in Edge and Chrome.

Comments

joereddington.com•201 days ago

Typo?

swiftonsecurity.com•201 days ago

Yes

franckchester.bsky.social•201 days ago

as in synch extension with my personal, compromised device and compromise my work device? 😱

bennyjamins.bsky.social•201 days ago

A chrome extension is basically a root kit if it has certain permissions.

Lots of modern apps use tokens that are stored in local storage and or included in the headers. An extension can just read those things as if it was a part of the app.

Useful for good… scary if abused.

nullrend.com•201 days ago

much easier to barge in with a pipe wrench and see who talks before a big twist

litmoose.bsky.social•201 days ago

Best thing to do is have an approved list of extensions and move to allow list + deny by default.

samcaldwell.net•201 days ago

I'm still deeply disturbed that more than 20yrs after we all realized how dangerous browser extensions are, we still do not have a security framework standard for browsers to better sandbox them.

litmoose.bsky.social•201 days ago

I'm most looking forward to Chrome's new (and desperately needed) device binding feature, which I'll be implementing immediately.

The internet is full of horrors, and security is an emotion.