How Safe is a Browser Extension?

The ReBUTTal to Amazon's Job Description

A colleague just alerted me to a job posting by Amazon that literally made me spit out my coffee from laughing so hard. Seeing is believing, so here is a screenshot of the first line:

The term "my butt” is used throughout the job description when it should say "the cloud." My colleague went on to explain that there was a browser extension years ago that would replace "the cloud” with "my butt” in whatever you were working on. I did a quick Google search and, sure enough, I found it.

Of course, how could I not write about this for a blog post that literally has the word "butt” in the title while at the same time address some of the security issues?

First, browser extensions are rarely talked about but do present security risks. While laughable in this situation, allowing an extension to always be on could give it access to sensitive data. It is up to the creator of the extension to decide how much of your data on the visited site to collect. Do they collect the url you visited while the browser extension is enabled? Does it have read/ write capabilities? Toggling your controls so that you actively give the extension access to each site where you need to use it is a best practice. Wired did a good job covering how to make sure your browser extensions are safe.

Second, do you know what browser extensions your employees have on their devices? While flirting with the concept of zero trust, it makes me wonder how many organizations are checking to make sure their employees don't have browser extensions that could have security or privacy vulnerabilities. In this case, we are dealing with an enormous organization, Amazon. Clearly, they provision each employee's computer and use software to monitor their employee’s use of that computer for security purposes. But even such a large, well-run organization could not stop an employee from publicly posting an embarrassing job description inadvertently changed by a browser extension. Based on the research I noted above, the browser extension is from 2014. So is Amazon monitoring browser extensions? Or maybe this one just didn't rise to the level of a security block?

The word "oops” pretty much sums it up.

If you liked this blog post, please share it and encourage others to subscribe to The Rebuttal. Have an idea for The Rebuttal? Want to join the only community exclusively for vCISOs? Join us at www.securityexpertmarketplace.com.