Cisco-owned Duo Security has described how Google Chrome extensions from the Web Store are loaded with security bugs that create privacy risks. Thousands of extensions have these issues and the team says most are unfit for use in enterprise situations.
Duo Security says IT admins should not be too concerned as there is a tool available to see which extensions are affected. Called CRXcavator (CHrome eXtension excavator), the tool was used by Duo to see which extensions should be whitelisted or not.
It is a beta solution that allows admins to take a granular approach to extension security in Chrome. There are 180,000 extensions available in the Web Store and many of them are extremely useful to organizations. However, developers are seemingly not taking security seriously, as Duo discovered.
“This allows organizations to know exactly what extensions are being used, who is using them and how much risk is brought to the organization by their users' extensions,” notes Duo Security.
Through January, the company used CRXcavator to monitor 120,463 extensions on the browser. The results are startling, showing 38,289 extensions used third-party software libraries that are known to have security vulnerabilities.
Just this week, we reported on a situation where Chrome extensions are loaded with adware. Security firm Kaspersky Lab reports Chrome extension developers are now using ads. Again, most users may be willing to accept ads for a free service, but Kaspersky says many developers are aggressively placing ads and creating extensions loaded with adware.
If you are unfamiliar with the term adware, it basically means when an app or website bombards the user with ads.