New Service From Cisco’s Duo Labs Analyzes Chrome Extensions
Duo Labs, part of Cisco-owned Duo Security, has launched a new service designed to analyze Chrome extensions and deliver security reports on them.
Dubbed CRXcavator and released in beta, the tool seeks to provide consumers and enterprise users alike with actionable intelligence on the large number of available Chrome extensions by scanning the Chrome Web Store on an ongoing basis.
The tool can analyze extension permissions and their implications and also evaluates extensions from several other angles.
Although Chrome users are asked to approve permissions for installed extensions, many people grant permissions without much consideration, a risky behavior when installing extensions in enterprise environments. Security teams, however, usually lack the capabilities of investigating extensions.
“We have categorized and assigned an objective numerical risk score to each permission to help a security team have a metric to use when triaging extension analysis,” Duo explains.
CRXcavator also scans for potentially dangerous functions and possible “entry points” for attackers, adds extension metadata to generated reports, and identifies related extensions to help analysts find alternatives to shady or risky extensions.
“With all these perspectives included, a CRXcavator report equips a security operations analyst to make a well-informed decision about whether to allow or block an extension,” Duo says.
The service also provides users with the option of creating accounts and linking them to groups. Enterprises can leverage these groups to manage Chrome extension whitelists, set threat intelligence keys, gain visibility into extensions used within their environments, and more.
Furthermore, CRXcavator provides users with the option to request approval for extensions that haven’t been included in an enterprise’s whitelist.
Most of the 95k extensions in the Web Store that support Content Security Policies (99%) do not have default-src or connect-src in the CSP defined (these allow developers restrict the external resources the extension can access). In fact, 78.3% do not have a CSP defined, Duo says.