A recent survey of over 120,000 Chrome extensions has revealed that over a third of Google Chrome extensions ask users for permission to access all their data on any website.
The survey was carried out by Duo Security’s research arm Duo Labs which used its new free web service named ‘CRXcavator’ which they had created and developed. The aim of CRXcavator is to help users, enterprises and developers improve their Chrome extension security hygiene.
The service allowed the researchers to scan the Chrome Web Store in it entirety and scanned 120,463 Chrome extensions and apps in January 2019 and found that many developers are not consistently ensuring the security of their third-party libraries, reducing their access to user data to the minimum needed for the extension to function, or providing information about the privacy implications of their extensions.
Of the 95k extensions in the Web Store that support Content Security Policies at the time of our analysis, we found that 74,403 (78.3 percent) do not have a CSP defined and, beyond that, 94,059 extensions (99 percent) do not have default-src or connect-src in the CSP defined. These are the parts of the CSP that give developers the ability to restrict which external resources the extensions can access and where the extensions can send the data they collect.
The public beta of CRXcavator can be found here: https://crxcavator.io/