A third of Chrome extensions use libraries with known vulnerabilities, a handy new tool finds

Researchers at Cisco-owned Duo Security have discovered extensions in Google’s Chrome Web Store are riddled with security bugs and privacy risks that probably make them unfit for business.  

The good news is that admins can now use the same tool Duo did to quickly assess whether a particular Chrome extension should or should definitely not be whitelisted for use on an organization’s network and devices. 

That tool, CRXcavator (CHrome eXtension excavator), is currently in beta and promises to address a bottleneck security teams may face in vetting Chrome extensions and risky permissions. It could also allow organizations to take a finer-grained, risk-based approach to extensions rather than banning them outright. 

Extensions in the Chrome Web Store now exceed 180,000 and the sheer number of them that employees may want to use on Chrome would likely make it difficult for a security team to vet every extension on staff wishlists. Extensions can also change over time. Scammers have in the past acquired popular extensions from developers and made them rogue. And occasionally extension developer accounts get hacked too. 

Duo researchers in January used CRXcavator to scan 120,463 extensions and apps in the Chrome Web Store. What it uncovered is ugly and should prompt admins to review what extensions are running in Chrome on corporate devices. 

Just under a third, or 38,289, used third-party software libraries that contained publicly known vulnerabilities. CRXcavator also assessed whether extensions have a privacy policy and an associated support site. Nearly 85 percent, or 102,029 extensions did not have a privacy policy available, while 77 percent, or 93,080, didn’t have a support site listed. 

It appears a large number of developers have only half-baked Content Security Policies (CSP) for Chrome extensions. The CSP ensures an extension only has access to external resources needed to run. In turn it puts restrictions on code that could lead to common web app vulnerabilities. Duo Security found that 95,000 extensions support CSP, yet 78 percent or 74,403 do not have a CSP defined.     

The stats show that Duo Security is right in believing a gap exists between what Google deems as safe for the Chrome Web Store and what businesses consider safe for their appetite for risk.   

The extension analyzer tool scans the Chrome Web Store continually so its results should be up to date for enterprise to assess against user requests. 

The company has also released the “CRXcavator Gatherer” Chrome extension, a tool for admins to deploy in the organization to gather usage stats about other Chrome extensions installed on company machines. It offers visibility into what extensions are commonly used and those that installed only by a few users. Common extensions might justifiable while rare ones might bad candidates for an approve-list. It also sends data about the version of an extension being used and links it to the user signed into Chrome. 

“This allows organizations to know exactly what extensions are being used, who is using them and how much risk is brought to the organization by their users’ extensions,” notes Duo Security.

The extension works on macOS, Windows and ChromeOS. Duo believes that combined with G Suite admin controls, it will be easier for organizations to implement allow-lists and bring it up to par with Windows. 

Another feature called "CRXcavator Gatherer: User Extension Requesting" is designed to help admins more efficiently handle user requests to whitelist a Chrome extension. 

Instead of users emailing requests to a gatekeeper and explaining a business justification, extensions that haven’t been whitelisted for a specific domain will trigger a notification on the install screen explaining it is not yet whitelisted. Users then simply click a button to request it be vetted and on a following page they write a business justification and click a “request approval” button.