You install a browser extension to save articles for later. You download a mobile app that needs access to your camera, microphone, contacts, and location. You connect a third-party integration to your project management tool. Each of these decisions extends your attack surface in ways that are easy to overlook and difficult to undo.

Browser Extensions: The Invisible Threat

Browser extensions are among the most powerful and least scrutinized software on your computer. A browser extension with the right permissions can read every page you visit, capture every password you type, modify the content of banking websites, and exfiltrate your browsing history to remote servers.

The Chrome Web Store and Firefox Add-ons site have minimal review processes compared to mobile app stores. Extensions have been caught injecting ads, stealing cryptocurrency, recording keystrokes, and hijacking search results. In 2023, researchers found that over 280 million people had installed malicious Chrome extensions over a three-year period.

The problem is compounded by extension acquisitions. A popular extension with a clean history is purchased by a new owner who pushes an update that adds malicious functionality. Users who installed the original, trustworthy version now have malware that auto-updated onto their machines.

  • Limit extensions to essentials. Every extension is a potential vulnerability. If you have not used an extension in the past month, remove it.
  • Check permissions before installing. An extension that claims to change your new tab page should not need access to "Read and change all your data on all websites."
  • Prefer open-source extensions where the code can be publicly audited, and check the number of users and recent reviews for warning signs.

Mobile Apps and Excessive Permissions

Mobile operating systems have improved their permission models significantly, but many apps still request far more access than they need. A flashlight app requesting access to your contacts and location is a classic example, but the problem extends to mainstream apps as well.

Consider what happens when you grant an app access to your photos. It can now scan every image in your library, including screenshots of sensitive information, photos of documents, and pictures with location metadata embedded. An app with microphone access could theoretically listen at any time, though both iOS and Android now show indicators when the microphone is active.

To reduce your mobile app risk:

  1. Review permissions on installation and deny anything that does not make sense for the app's core functionality.
  2. Use "Allow Once" or "While Using the App" instead of "Always Allow" for location, camera, and microphone access.
  3. Audit permissions periodically. On iOS, go to Settings then Privacy and Security. On Android, go to Settings then Privacy then Permission Manager. Review which apps have access to sensitive resources.
  4. Delete apps you no longer use. Unused apps still have their granted permissions and may run background processes.

Supply Chain Compromise Through Integrations

Modern software ecosystems are built on interconnected services. Your CRM connects to your email provider. Your project management tool integrates with your cloud storage. Your CI/CD pipeline pulls packages from public registries. Each connection is a link in a supply chain, and a compromise at any point can cascade through the entire chain.

The 2020 SolarWinds attack demonstrated this at scale: attackers compromised the build system of a widely-used IT monitoring tool, inserting malicious code into a software update that was then distributed to 18,000 organizations, including U.S. government agencies and Fortune 500 companies. The victims did nothing wrong; they simply trusted their supply chain.

At a personal level, supply chain risk manifests through:

  • Compromised npm or pip packages that developers include in their projects
  • OAuth integrations where a third-party service is breached, exposing data from all connected accounts
  • Zapier/IFTTT automations that bridge services with broad permissions
  • WordPress plugins that are abandoned and later exploited

Auditing Your App Ecosystem

Most people have no idea how many third-party apps and services have access to their data. A thorough audit involves:

  1. List every browser extension installed across all browsers and devices. Remove anything nonessential.
  2. Review connected apps on every major account (Google, Microsoft, Facebook, GitHub, Twitter). Revoke access for services you no longer use.
  3. Check mobile app permissions and revoke any that are unnecessary for the app's function.
  4. Inventory integrations on your business tools. Who authorized the Slack bot? What does the Google Drive integration in your project tool actually access?
  5. Check for abandoned or unmaintained tools that are still connected. A service that has not been updated in two years is a liability.

The Principle of Least Privilege

The core defense against third-party app risk is the principle of least privilege: every app, extension, and integration should have the minimum permissions necessary to perform its function, and nothing more. A note-taking app needs access to your local storage, not your camera. A weather app needs your approximate location, not your precise GPS coordinates.

Apply least privilege proactively. When installing a new app, start with the most restrictive permissions possible. If the app does not work, grant the specific additional permission it needs. This is the opposite of the default behavior, which is to accept every permission request and never revisit the decision. Treat every permission grant as a small trust decision, because that is exactly what it is.

Share this article