A third of all Chrome extensions request access to user data on any site
More than a third of all Google Chrome extensions ask users for permission to access and read all their data on any website, a recent survey of over 120,000 Chrome extensions has revealed.
This gigantic survey was carried out last month by the research team from US cyber-security firm Duo Labs with the help of a new web service they developed and called CRXcavator.
Researchers scanned the entirety of the Chrome Web Store and analyzed the source code and Web Store listings of 120,463 Chrome extensions and apps.
The results of this study are made available today on the CRXcavator web portal, where users can check security reports about their favorite extension, or submit an extension ID and have it scanned if Duo researchers missed it during their Web Store analysis.
But Duo Labs didn’t scan all Chrome extensions for no purpose at all. The company also released today the CRXcavator Gatherer Chrome extension.
This extension was developed for enterprise use. System administrators can install the extension on the PCs of company employee, and the extension will gather information on what extensins employees had each installed on their systems, and then send this data to a CRXcavator account that system administrators created in advance on the CRXcavator portal.
Sysadmins can review the CRXcavator risk score of each extensions users have installed on their systems, and allow or disallow the extension inside their networks with network-wide policies.
“This allows organizations to know exactly what extensions are being used, who is using them and how much risk is brought to the organization by their users’ extensions,” Duo Labs researchers said in a press release today.
But the CRXcavator Gatherer extension can also be used as a way for employees to request permission before installing a new Chrome extension. All employees have to do is to press a button and enter a reason why they need to install the new extension.
Sysadmins receive this request for installation in their CRXcavator account dashboard, can check the extension’s CRXcavator risk score, and allow its installation inside their network.
The need to control what extensions employees use is a growing factor for modern enterprises. With a market share of over 60 percent, Chrome is a huge attack surface that criminal groups tend to exploit.
Criminal groups are known to buy extensions from developers who lost interest in maintaining them, and to launch spear-phishing attacks in the hopes of hijacking an extension developer’s account so they can push malicious code.