Applications and SaaS Plugins: Data Exfiltrations

Since most security administrators have little insight into cloud-to-cloud connections, monitoring and protecting data throughout these communications is challenging. This article will examine the issue and potential remedies. 

What Exactly Is a ‘Plug-In’ in a SaaS System?

A plug-in SaaS System typically refers to a software component through which the functionalities or capabilities of a SaaS application are increased. It is developed in a way that it will easily complement the SaaS app through which it is connected and serves users as an add-on functionality.

SaaS application is connected with its plug-in through application programming interfaces (APIs), which are either developed by SaaS providers or often by third-party developers. These plug-ins in SaaS systems serve as a way to increase the app functionality, add more value to the basic SaaS app, and allow the user to customize his experience.

As an illustration, if there is already an existing SaaS app that offers accounting automation, an add-on plugin can classify the spend, analyze the data, and offer recommendations to optimize cost by offering an alternative vendor or services that provide equal or better services as a value addition on existing apps. A communication tool that can assist colleagues in discussing, calling, and whiteboarding the design is another example of a SaaS Plugin on a collaborative UX design software.

How Is Data Exfiltrated Using Plug-Ins on the SaaS System?

The plug-ins on SaaS applications send data to their own cloud for analysis, transformation, or other value-adding purposes. Data transfers may be substantially larger than necessary. Additionally, the data on the plugin cloud may be further compromised, sold, or utilized for purposes other than those for which the data owner originally shared the data with the plugin.

Plugins can take advantage of the security and authorization issues that SaaS applications themselves may present to add more data to their systems. SaaS applications are hosted in the cloud and sometimes have hazy access restrictions. Cloud governance for SaaS apps and plugins can sometimes be intermittent or nonexistent. The management of access is made uniquely challenging by its intricacy. 

There is an access risk associated with third-party integrations. Plugins that link one SaaS software to another occasionally turn the plugin into an unauthorized "user" of the app. When plugins are not properly maintained by developers, it is simple for an attacker to seize control of the plugin, giving him or her access to all connected SaaS apps. This can happen through some weakness in the plug-ins’s code, bypassing of access control by unauthorized users, or through leveraging vulnerabilities in the connected SaaS app. Unauthorized parties can access the crucial data, and data can be exfiltrated to external servers as soon as an unsecured plug-in connects with a SaaS app.  

Some of the SaaS plug-ins have baked-in functionality to harvest data with the user’s permission for feedback and analytics purposes. This will transfer sensitive data to third parties. Some other SaaS plug-ins also serve as ‘backdoor plug-ins.’ It refers to a vulnerability or a hidden method cleverly inserted into a plug-in for data exfiltration or unauthorized control. A backdoor plug-in can easily be used by attackers without any detection. These backdoor plug-ins are often included with the SaaS app during the development process, which will allow attackers to use them later.

What Is the Magnitude of These SaaS Plug-In’s Hazards?

The average number of plugins installed in a typical business SaaS application is tens. Additionally, more than 50% of these are installed directly by end users rather than by IT administrators. This makes it possible for many plugins to access corporate data.  

We are aware of the security risks posed by supply chains in common on-premises apps because they were extensively highlighted during the SolarWinds hacks. When it comes to SaaS App plugins, this attack vector is open for direct attack. The vast bulk of the client data is subject to unlimited and unrestricted approval from users and IT administrators.

Once these plugins are set up for experiment or research purposes, they are hardly ever removed, and their rights are even less frequently withdrawn. This indicates that these plugins still have access to customer information. Since there are cloud-to-cloud communications, the end user cannot directly monitor the traffic other than through the SaaS application's auditing capabilities. 

Here are a few instances of data exfiltration attacks through SaaS plugins:

Browser Plug-Ins for Screen Recording

There are numerous instances where app plug-ins go too far and offer functionality with little in the way of checks and balances. There are many browser add-ons, for instance, that will record your browsing sessions and upload them to their own cloud. Without regulation and control, this functionality can be a significant source of data exfiltration.

Video Conferencing Applications

It is another instance of a video conferencing program that went too far and provided capabilities without taking privacy or unintended data sharing into account.

Email Marketing Plug-In 

There are such SaaS plug-ins that are used for marketing. With its advantages, there are potential risks as well. These plug-ins have access to the user's data. If an attacker gets successful gaming control through the plug-in, then it can lead to potential exposure of sensitive customer locations.

Customer Relationship Management Plug-In

CRM platforms have various plug-ins and integrations. The customer data stored in the CRM system can be exfiltrated if these plug-ins are not secured properly.

MFA for All Privileged Users With Microsoft

Microsoft Security published details about an assault it experienced from DEV-0537 on March 22. One Microsoft account was compromised, which led to source code being taken and made public. Microsoft reassured consumers that the LAPSUS assault didn't compromise any of their data and added that none of their products were at risk as a result of the stolen code. 

Although it warned readers that LAPSUS$ regularly recruits personnel at telecoms, significant software developers, contact centers, and other companies to provide credentials, Microsoft did not clearly disclose how the intrusion was carried out.

How Can Data Exfiltration Be Prevented?

The following are some strategies to stop data exfiltration through plus-ins:

• Access Control policies: Businesses needs to drive access to sensitive data with regular auditing. The access needs to be on the need-to-know basis. This will need tooling to tag nature of sensitive data. These policies need to comprehensively identify the access requirement of users as well as machines. The policies need to clearly outline who, what, and when. Also, access to enable plugin needs to be controlled.
• Event monitoring and auditing: Monitoring and alerting of suspicious activity and access changes. Daily event review is essential for SaaS security and should include events like modifications to MFA for users and machines, password resets, suspect logins, and more. Majority of this workflow should be automated. Knowing the risk associated with user and process accessing data is key to determining access policies and enforcements.
• Regular cleanup of unused access: One of the biggest challenges in managing access is data on SaaS in residual access. This mean the access that was provided for a valid reason is no longer necessary. Enhance and keep track of your cloud security posture by enforcing access expiry at the time when access is provided.
• Inform users of the dangers posed by third-party applications and exhort them to be cautious when approving permissions.

SaaS solution security is a difficult task that would be extremely difficult to carry out manually. This, however, can be achieved with automation and tooling.