Malware Exploits Security Teams’ Greatest Weakness: …

Users’ distrust of corporate security teams is exposing businesses to unnecessary vulnerabilities.

In early January, Colin McMillen, the lead developer at SemiColin Games, tweeted a warning about a popular Google Chrome extension, The Great Suspender. The utility came under fire after McMillen learned the developer sold it to a third party that silently released a version that could spy on a user’s browsing habits, inject ads into websites, or even download sensitive data.

After a community outcry, the new owner removed the offending code. Now aware of the change of ownership and breach of trust, many savvy users removed the extension.

Even so, The Great Suspender remained available in the Chrome Web Store until Feb. 3, when Google finally pulled the plug. Many of the extension’s 2 million users found out when they received a warning that simply stated, “This extension may be dangerous. The Great Suspender has been disabled because it contains malware.”

While Google eventually set things right, it took too long. McMillen’s tweet shone a bright light on this in January, but comments on the extension’s issue tracker indicate users reported the problem to Google as early as October 2020. This left Chrome users in a potentially vulnerable position for over three months.

How Personal Computers Put Work Devices at Risk
Sometimes, Google Chrome extensions installed on personal computers are automatically installed and synchronized to work devices. This brings their problems into the security team’s purview, which then must make difficult decisions because:

  1. The risks associated with running suspicious extensions like The Great Suspender usually impact the employee, not the company, more.
  2. Before the extension was banned in February, end users had no official indication the extension was potentially malicious.
  3. Despite the risks associated with the extension, users intentionally installed it and, presumably, were happily using it.

Security teams are accustomed to wielding impressive tools that can block, contain, and remediate clear threats. They work best in a world of absolutes, where software is either good or bad, and systems are either secure or vulnerable. In the case of The Great…