Automating Browser Extension Security with LimaCharlie and Secure Annex

The Growing Challenge of Browser Extension Security

As browsers increasingly become users' primary operating systems for accessing analytics, financial, and other sensitive data, their security requirements are evolving. While browser developers invest significant resources in secure development, one vulnerability remains difficult to address: browser extensions. Browser companies must maintain extension flexibility to allow users to customize their web browsing experience.

For many teams, managing browser extensions often takes a back seat. Identifying which extensions users have installed can be challenging, and understanding their purposes and potential risks requires additional effort. This may seem like an overwhelming investment of time, leading teams to question the impact of implementing a comprehensive solution.

Comprehensive Extension Monitoring with LimaCharlie and Secure Annex

All LimaCharlie agents provide straightforward visibility into browser extensions installed on a host. Users can query installed extensions through either the browser agent or any endpoint agent.

However, what can we learn about an extension simply from its presence on an endpoint? Basic information such as name, version, ID, requested permissions, and installation source only tell part of the story. This information becomes more valuable when combined with details about ownership changes, vulnerability data, YARA signatures, code reviews, and the URLs the extension interacts with.

In partnership with Secure Annex, we've developed a new LimaCharlie Secure Annex extension that provides first-of-its-kind detailed enrichment for all extensions across your organization. Users can create detection rules based on extension categories, ratings, user counts, vulnerabilities, and signatures that identify potential abuse of broad manifest permissions.

The LimaCharlie extension comes preconfigured with a set of rules to help organizations quickly gain maximum value. Upon subscribing to the extension, several detection and response (D&R) rules are added to your organization in a disabled state.

Pre-Configured Detection Rules and Implementation

• ext-secureannex-detect-vulnerabilities: Identifies high and critical vulnerabilities in extensions based on the Secure Annex vulnerability results.

• ext-secureannex-detect-risk-rating: Flags extensions with high and critical risk ratings derived from the manifest results.

• ext-secureannex-get-extensions-windows: Automatically schedules a base64 encoded PowerShell script to run every 24 hours on Windows sensors to query installed Chrome extensions and retrieve their IDs and versions.

• ext-secureannex-get-extensions-mac: Similarly schedules a base64 encoded bash script for macOS sensors to achieve the same results as the Windows script.

• ext-secureannex-get-extensions-chrome: Configures the OS_PACKAGES command to run every 24 hours on Chrome sensors to identify installed Chrome extensions.

These rules not only streamline data collection but also ensure that your organization’s browser extension management is proactive and efficient. Each rule can be enabled as-is or customized to fit your specific needs. Additionally, results from these processes are seamlessly integrated into the LimaCharlie interface, appearing in the live feed and timeline of the ext-secureannex sensor for immediate analysis.

By leveraging the Secure Annex platform’s APIs, including endpoints for manifest data, extension vulnerabilities, and signatures, users can gain actionable insights. The extension allows teams to move beyond simple visibility and into comprehensive monitoring and risk mitigation. This enables a proactive approach to extension security, empowering organizations to minimize potential threats and maintain robust cybersecurity standards.

Customer Success

Developed in collaboration with managed services provider M3Power, this extension offers unprecedented insight into browser extensions for its customers. Chris D'Amore, Cybersecurity Practice Manager at M3Power, says, "This provides context into browser extensions that we hadn't had previously. By simply adding an API key, we've gained a deeper understanding of each extension and can now respond more quickly to future incidents involving browser extensions if they occur."

Getting Started with Secure Annex and LimaCharlie

To start using the Secure Annex extension with LimaCharlie, log into your LimaCharlie account and enable the extension from the LimaCharlie Marketplace. 

For questions or feedback, you can contact the Secure Annex team at support@secureannex.com or visit secureannex.com.