Risky Bulletin – Episode Summary
Sponsored: The Challenge of Managing Browser Extensions
Podcast: Risky Bulletin, hosted by Casey Ellis (Risky.biz)
Guests: David & Daniel (Airlock)
Date: September 14, 2025
Episode Overview
This episode explores the increasingly complex problem of managing browser extensions in enterprise environments. Casey Ellis speaks with David and Daniel from Airlock about why browser extension management matters, what risks enterprises face, practical management strategies, and how Airlock's latest updates and integrations can help organizations gain control over browser-based threats. The discussion includes real-world enterprise stories, insights into browser extension permission models, and tactical advice for hardening browser security.
Key Discussion Points & Insights
1. Why Are Browser Extensions a Security Priority?
- Immediate Risk: Unlike traditional apps, browser extensions can introduce unvetted code directly into end-user environments, bypassing many established security boundaries. ([00:33])
- Quote – David:
"When you start introducing third party code into the browser from all of these app stores that are largely sort of consumer controlled... you start to introduce and break through a little bit of that security barrier." ([00:33])
- Quote – David:
- Insufficient Visibility: Enterprises rarely have detailed visibility into which extensions are in use, unlike with installed desktop or mobile apps.
- Permission Complexity: The browsers’ permission models are granular and not always transparent to users or admins.
2. The AI Factor and 'Vibe Coding' Extensions
- The 'AI revolution' has accelerated the creation (and adoption) of rapidly developed, potentially insecure browser extensions.
- Quote – Daniel:
"With the AI revolution that's led to a billion other browser extensions as well, where people are also entering more sensitive content as well." ([02:05])
- Many extensions are developed quickly ("vibe coding"), often with little security focus.
- Quote – Daniel:
3. Browser Permissions: Scope and Risks
- Daniel notes there are ~97 different browser extension permissions, ranging from mundane to very high risk (e.g., screen/desktop capture, code execution). ([02:28])
- Quote – Daniel:
"Can they capture your screen, can they capture the desktop... for things such as code execution and similar as well. So there's some interesting design learnings there..." ([02:28])
- Quote – Daniel:
- The current browser extension permissions model lacks user-friendly granularity; it’s often “all or nothing” for users installing extensions. ([03:59])
4. Enterprise Extension Management: The 'Allow List' Approach
- Relying on browser marketplaces and end-users to make security decisions is fundamentally flawed.
- Quote – Casey:
"For an enterprise to fully rely on controls like that means they're basically losing control of the process. And you're playing a game of whack-a-mole at that point, right?" ([05:06])
- Quote – Daniel:
"You're giving like the user the decision... A lot of people are just going to push the allow button at that stage. Right. They're not told doing a risk assessment at that point." ([05:59])
- Quote – Casey:
- Extension squatting (malicious lookalikes) and abandoned or compromised third-party extensions are prevalent risks.
- Allow-listing trusted extensions and blocking the rest is a strong strategy but requires inventory and management.
5. Real-World Organizational Challenges
- Discovery is often the very first step; most organizations have poor or no inventory of browser extensions in use. ([07:50])
- Quote – David:
"It's really trying to get a handle on the problem in the first place... it's often the first time that they're actually seeing that data..." ([07:50])
- Quote – David:
- Cross-browser complexity: Enterprises must decide which browsers are even permitted in their environment (Chrome, Edge, Firefox, Brave, etc.). ([09:18])
- Integration with platforms like CrowdStrike helps bring visibility and risk scoring, aiding initial clean-up and later ongoing management.
6. How Airlock & CrowdStrike Integrations Work
- Airlock integrates with CrowdStrike Foundry, leveraging CrowdStrike’s inventory of extension data to jumpstart management.
- Quote – Daniel:
"We have an integration with CrowdStrike, where CrowdStrike already know all the browser extensions that are installed. And we can sort of bring those extension IDs in, you can review them and then decide..." ([09:18])
- Quote – Daniel:
- New features in Airlock allow enforcement, blocking, and user-based requests for non-listed extensions. ([11:43])
7. Practical Hardening Advice
- Use Group Policy (GPO) ADMX templates for Chrome, Edge, Firefox, etc., to block/allow specific extensions.
- Focus on permissions such as file system access, desktop capture, and execution rights as red flags.
- Quote – David:
"There's File system and File System Write Access... there's desktop capture, which allows sort of full screenshots downloads open... really high risk sort of permissions in some extensions." ([14:29])
- Quote – David:
- Start with visibility, move to allow-listing, and regularly review the need for each extension.
- Deny-by-default is recommended, with approvals for business-justified, well-understood extensions. ([16:02])
Notable Quotes & Memorable Moments
-
On the Challenge of Extension Management:
Casey: "It has always been a really easy thing to talk about and a very difficult thing to do." ([05:06]) -
On Allow-listing as a Philosophy:
Daniel: "Allow only what you trust, block everything else adds a pretty strong layer..." ([06:16]) -
On the Scale of the Problem:
David: "People have less of an idea about what's there than traditional files or applications." ([07:50])
Timestamps for Important Segments
- [00:33] - Why browser extensions are a unique risk
- [02:28] - The breadth of extension permissions & AI acceleration
- [05:59] - User agency and extension approval risks
- [07:50] - Enterprises’ lack of visibility and initial discovery
- [09:18] - How Airlock leverages CrowdStrike for extension inventory
- [11:43] - Enforcing extension policies within Airlock
- [13:18] - Using GPOs and browser settings for hardening
- [14:29] - Practical advice: Focus on dangerous permissions
- [16:02] - Making allow-listing decisions & deny-by-default strategy
- [18:19] - Airlock 6.1 release: new UI and cloud sync support
Summary of Actionable Advice
- Inventory: Begin with a deep, organization-wide inventory of browsers and extensions in use.
- Integration: Use tools (like Airlock + CrowdStrike) for visibility and starting point.
- Hardening: Apply GPO/ADMX controls to block all but business-required extensions.
- Risk Review: Scrutinize extensions requesting sensitive permissions (file system, desktop capture, code execution).
- Allow-List: Explicitly allow approved extensions; deny-by-default for everything else.
- Ongoing Review: Regularly validate the necessity and trustworthiness of extensions.
- Consider UI and UX Improvements: Use platforms that simplify policy creation, inventory, enforcement, and user exception requests.
New Developments Announced
- Airlock 6.1 Released:
- New and improved UI.
- Native cloud sync support for group-based policy enforcement (e.g., integrate with Entra groups).
- Enhanced ability to block risky actions (like PowerShell) per group. ([18:19])
Closing Thoughts
The browser is a new battleground for enterprise security, with extensions providing both utility and substantial risk. Proactive management—rooted in allow-listing, strong inventory practices, and awareness of high-risk permissions—can help organizations better control this increasingly critical attack surface. Airlock and CrowdStrike’s integrations offer practical tools for regaining control.
If attending Falcon in Las Vegas, David and Daniel encourage in-person discussions for deeper dives. ([19:02])
End of Summary
