Duo Security Releases Research Into Chrome Extension Security



A recent survey of over 120,000 Chrome extensions has revealed that over a third of Google Chrome extensions ask users for permission to access all their data on any website.

The survey was carried out by Duo Security’s research arm Duo Labs which used its new free web service named ‘CRXcavator’ which they had created and developed. The aim of CRXcavator is to help users, enterprises and developers improve their Chrome extension security hygiene.

The service allowed the researchers to scan the Chrome Web Store in it entirety and scanned 120,463 Chrome extensions and apps in January 2019 and found that many developers are not consistently ensuring the security of their third-party libraries, reducing their access to user data to the minimum needed for the extension to function, or providing information about the privacy implications of their extensions.

Duo found that 38,289 extensions (31.8 percent) use third-party libraries that contain publicly known vulnerabilities. Another area where we hope to see extensions (including apps) improve for administrators is ensuring that privacy policies and support sites are available and easily accessible. Currently, 102,029 extensions (84.7 percent) do not have a privacy policy listed, and 93,080 (77.3 percent) do not have a support site listed. These are easy fixes that will drastically improve the security and transparency for administrators evaluating extensions for their organizations.

Of the 95k extensions in the Web Store that support Content Security Policies at the time of our analysis, we found that 74,403 (78.3 percent) do not have a CSP defined and, beyond that, 94,059 extensions (99 percent) do not have default-src or connect-src in the CSP defined. These are the parts of the CSP that give developers the ability to restrict which external resources the extensions can access and where the extensions can send the data they collect.

The public beta of CRXcavator can be found here: https://crxcavator.io/