Microsoft has introduced an updated version of the “Publish API for Edge extension developers” that increases the security for developer accounts and the updating of browser extensions.
When first publishing a new Microsoft Edge browser extension, developers are required to submit it through the Partner Center. Once approved, subsequent updates can be done through the Partner Center or the Publish API.
As part of Microsoft’s Secure Future Initiative, the company is increasing security across all its product groups, including the browser extension publishing process to prevent extensions from being hijacked with malicious code.
With the new Publish API, secrets are now dynamically generated API keys for each developer, reducing the risk of static credentials being exposed in code or other breaches.
These API keys will now be stored in Microsoft’s databases as hashes rather than the keys themselves, further preventing possible leaking of the API keys.
To further increase security, access token URLs are generated internally and do not need to be sent by the dev when updating their extensions. This further improves security by limiting additional risks of exposing URLs that could be used to push malicious extension updates.
Finally, the new Publish API will expire API keys every 72 days, compared to its previous two years. Rotating secrets more frequently prevents continued misuse in the event that a secret is exposed.
Edge developers can try the new API key management experience in their Partner Center dashboard.
Source: Microsoft
Developers will then need to regenerate their ClientId and secrets and reconfigure any existing CI/CD pipelines.
Software developers are commonly targeted in phishing attacks and information-stealing malware campaigns to steal credentials.
These credentials are then used to steal source code or to compromise legitimate projects in supply chain attacks.
While Microsoft is currently making this new process “opt-in” to minimize the disruption of moving to the new Publish API, it would not be surprising for the updated Publish API to become mandatory in the future.
“To minimize the disruption of moving to the new Publish API, we have made this an opt-in experience. This allows you to transition to the new experience at your own pace,” concludes Microsoft’s announcement.
“If needed, you can also opt-out and revert to the previous experience, although we encourage everyone to transition to the new, more secure, experience as soon as possible.”
“The security enhancements coming with the new Publish API will help protect your extensions and improve the security of the publishing process.”
Source: www.bleepingcomputer.com