The Hidden Security Risks of Salesforce Admin Chrome Extensions

Understanding browser extensions and risk mitigations

Salesforce admins, developers and architects often use Chrome extensions to increase their productivity. While there are many other browsers with extensions, here we cover Salesforce extensions for Chrome.

There are a few reasons these extensions are popular for Salesforce teams, but one of the most important motivators is Salesforce’s model: each Salesforce Org has its unique set of user accounts and credentials, and you can only log into one Salesforce per browser profile. Switching between multiple production, sandbox, and development orgs can be challenging. Another reason is the need to improve the user experience with Salesforce web interfaces, e.g. by adding colors, new search capabilities or metadata helpers.

Chrome extensions can extend the browser’s capabilities by reading and interacting with web sites and – for the purposes of this post – we’ll be focusing on Salesforce, but of course the same is true for other sites as well. Why do we talk about risk? Not everyone is aware that:

There are also some browser extensions that will connect to the user’s Salesforce org with a Connected App. Valo has identified three such Extensions:

• Salesforce DevTools

• Salesforce Inspector (Reloaded)

• Salesforce Advanced Search

These extensions will acquire an OAuth token and use it to interact with the Salesforce API as the user.

These extensions are often created by individuals within the Salesforce community who initially develop the tool for personal use and then share it publicly. These individuals may be well known in the community or may not be. In most cases, there is a lack of evidence of security testing, vulnerability management, privacy policies, or security certification for these extensions.

When are browser extensions a risk?

Browser extensions can introduce security risks into your Salesforce landscape in several different ways. The following list points out several threat scenarios that Chrome extensions can cause:

1. Many Salesforce-related Chrome extensions are based on open source with source code available in Github. A malicious actor could create a trojanized version of an existing extension and upload it to the Chrome Web Store as a new extension.
   

2. A malicious actor could buy a popular extension, inject malicious code, and use the automatic updates to distribute the malware. This has happened with non-Salesforce extensions and there are reports that browser extension developers regularly get approached by third parties about “business opportunities”.
   

3. Someone may hack the Google account of the developer of the extension and release a malicious update. This has not happened to Salesforce extensions, as far as we know, but in December 2024 it happened to many other extensions.
   

4. Extensions are implemented in Javascript, HTML and CSS, and they process a lot of untrusted data (website content, user input, ...). Extensions can also have sensitive access to the browser. Vulnerabilities in JavaScript extension code can expose both local data and data on the sites you use.
   

5. An extension has access to the data in the Salesforce org either through observing the browser, or through an Oauth token, and there's no easy way to determine what even a "benign" extension does with the data (e.g. collecting data about your environment to their backend) or where that token is stored.
   

6. A malicious actor could join the open source development team working on the extension and inject malicious code. There are no reported cases about this with extensions, but this has happened, e.g. to the EZ Linux library not too long ago.

How can you mitigate risks?

Mitigating browser extension-related risks is similar to reducing any other app or SaaS-related risks:

• Limit the number of Chrome extensions you use. Consider if you really need an extension. Can the same outcome be achieved with some other tool?
  

• Uninstall any extensions you no longer need.
  

• Thoroughly vet all extensions before installing them. Look at the developer reputation, amount of users, user ratings and reviews, security certifications, privacy policy, etc. to estimate the posture of the extension.
  

• Use Managed Chrome to restrict the use of Chrome extensions in your organization
  

• Minimize the permissions of users to what they actually need in order to reduce the risk surface from, including from browser extensions. Consider if you really need to use extensions as a full admin profile user.
  

• Regularly monitor Salesforce connections, tokens and other activities.

Browser extensions are a great category and an easy way to bring new capabilities to your existing services. However, they come with risks that are often overlooked. Browser extensions, in many ways, bring a lot more risk than mobile and web applications and hence, care should be taken with them.

Additional Resources

Paul Ginsberg has an excellent blog post about Salesforce extensions and some risks they pose:

https://naturallypaul.com/blog/salesforces-chrome-plugins-the-great-and-the-risky

Salesforce Ben has an annually updated list of popular extensions: https://www.salesforceben.com/most-popular-salesforce-chrome-extensions/

About Mika

Mika Ståhlberg is the CTO and Co-founder of Valo, with 25 years of experience in cybersecurity and R&D positions. Previously, Mika led security initiatives at Ouraring and served as CTO at F-Secure. He is a Salesforce Certified Integration Architect with extensive experience in leadership and hands-on technology work. Mika is passionate about building usable products that effectively solve customer problems.

Outside of work, Mika enjoys snowboarding, music, and exploring history.

• 

  Mika Stahlberg