Best practices for secure and safe Browser Extensions deployed by MIND

In a widespread phishing campaign, attackers gained access to the source code of several Google Chrome extensions and injected malicious code. While not a targeted attack, this breach prompted affected companies, including data security vendors, to swiftly patch their extensions.

Browser extensions are indispensable tools, often used for legitimate business purposes. On average, a business user might have around 10-15 browser extensions installed for various productivity, security and utility purposes. However, their access to sensitive data, such as usernames, passwords and cookies, makes them an attractive target for cybercriminals. The goal of the most recent publicized attack was clear: to harvest credentials and session data for future exploitation.

At MIND, we recognize the critical role our browser extension plays in sensitive data loss prevention (DLP) within SaaS applications and on endpoints. That’s why security is always top of mind.

Here are the best practices we employ to make sure our MIND browser extensions are safe and secure:

• Source code review: Our source code is reviewed to ensure it’s free from malicious code injection.
• Privileged access controls: A very small number of people have access to our source code and we follow strict privileged access controls.
• Rigorous deployment workflow: The entire MIND browser extension deployment workflow is written as code and audited, and deploying a new version requires manual approval.
• Security awareness training: Our employees regularly engage in active phishing education and testing.
• Penetration testing: Routine penetration tests help us proactively identify and remediate potential security issues.

While this attack highlights the dangers of phishing and compromised browser extensions, it also underscores the importance of robust security practices. At MIND, we remain vigilant, ensuring that your data stays protected, even in the face of evolving threats. Learn how MIND stops data leaks on endpoints and web browsers.