A third of all Chrome extensions request access to user data on any site

Eighty-five percent of all Chrome extensions don't have a privacy policy.
Written by Catalin Cimpanu, Contributor

More than a third of all Google Chrome extensions ask users for permission to access and read all their data on any website, a recent survey of over 120,000 Chrome extensions has revealed.

The same survey also found that roughly 85 percent of the 120,000 Chrome extensions listed on the Chrome Web Store don't have a privacy policy listed, meaning there's no legally-binding document describing how extension developers are committing to handling user data.

Additional survey findings include the fact that 77 percent of the tested Chrome extensions didn't list a support site, 32 percent used third-party JavaScript libraries that contained publicly known vulnerabilities, and nine percent could access and read cookie files, some of which are used for authentication operations.

This gigantic survey was carried out last month by the research team from US cyber-security firm Duo Labs with the help of a new web service they developed and called CRXcavator.

Researchers scanned the entirety of the Chrome Web Store and analyzed the source code and Web Store listings of 120,463 Chrome extensions and apps.

They looked at what permissions extensions requested from users, with what external domains the extensions communicated, if extensions used vulnerable libraries, if they accessed OAuth2 data, checked Content Security Policy (CSP) headers, and if the extension listed any information about its privacy policy or author.

The results of this study are made available today on the CRXcavator web portal, where users can check security reports about their favorite extension, or submit an extension ID and have it scanned if Duo researchers missed it during their Web Store analysis.

But Duo Labs didn't scan all Chrome extensions for no purpose at all. The company also released today the CRXcavator Gatherer Chrome extension.

This extension was developed for enterprise use. System administrators can install the extension on the PCs of company employee, and the extension will gather information on what extensins employees had each installed on their systems, and then send this data to a CRXcavator account that system administrators created in advance on the CRXcavator portal.

Sysadmins can review the CRXcavator risk score of each extensions users have installed on their systems, and allow or disallow the extension inside their networks with network-wide policies.

"This allows organizations to know exactly what extensions are being used, who is using them and how much risk is brought to the organization by their users' extensions," Duo Labs researchers said in a press release today.

But the CRXcavator Gatherer extension can also be used as a way for employees to request permission before installing a new Chrome extension. All employees have to do is to press a button and enter a reason why they need to install the new extension.

Sysadmins receive this request for installation in their CRXcavator account dashboard, can check the extension's CRXcavator risk score, and allow its installation inside their network.

The need to control what extensions employees use is a growing factor for modern enterprises. With a market share of over 60 percent, Chrome is a huge attack surface that criminal groups tend to exploit.

Criminal groups are known to buy extensions from developers who lost interest in maintaining them, and to launch spear-phishing attacks in the hopes of hijacking an extension developer's account so they can push malicious code.

From small to large, companies need to keep an eye on Chrome extensions nowadays, as there's always the danger of one being used for industrial espionage or fraud.

Duo security infographic CRXcavator
Image: Duo Labs

All the Chromium-based browsers

More browser coverage:

Editorial standards