New Service From Cisco's Duo Labs Analyzes Chrome Extensions

Duo Labs, part of Cisco-owned Duo Security, has launched a new service designed to analyze Chrome extensions and deliver security reports on them. 

Dubbed CRXcavator and released in beta, the tool seeks to provide consumers and enterprise users alike with actionable intelligence on the large number of available Chrome extensions by scanning the Chrome Web Store on an ongoing basis. 

The tool can analyze extension permissions and their implications and also evaluates extensions from several other angles. 

Although Chrome users are asked to approve permissions for installed extensions, many people grant permissions without much consideration, a risky behavior when installing extensions in enterprise environments. Security teams, however, usually lack the capabilities of investigating extensions. 

 “We have categorized and assigned an objective numerical risk score to each permission to help a security team have a metric to use when triaging extension analysis,” Duo explains. 

The service looks at sites the extension’s code likely makes external requests to and also identifies domains the extension can communicate with. It also analyzes third-party JavaScript libraries for vulnerabilities and lets users look into the code of externally included JavaScript files. 

CRXcavator also scans for potentially dangerous functions and possible “entry points” for attackers, adds extension metadata to generated reports, and identifies related extensions to help analysts find alternatives to shady or risky extensions. 

“With all these perspectives included, a CRXcavator report equips a security operations analyst to make a well-informed decision about whether to allow or block an extension,” Duo says.

The service also provides users with the option of creating accounts and linking them to groups. Enterprises can leverage these groups to manage Chrome extension whitelists, set threat intelligence keys, gain visibility into extensions used within their environments, and more. 

Furthermore, CRXcavator provides users with the option to request approval for extensions that haven’t been included in an enterprise’s whitelist. 

After scanning the Chrome Web Store in January 2019, the security firm discovered and processed 120,463 extensions and apps, many containing various issues, such as the lack of a listed privacy policy (84.7%) or support site (77.3%), or the use of vulnerable third-party libraries (31.8%).

Most of the 95k extensions in the Web Store that support Content Security Policies (99%) do not have default-src or connect-src in the CSP defined (these allow developers restrict the external resources the extension can access). In fact, 78.3% do not have a CSP defined, Duo says

Related: Google Tightens Rules for Chrome Extensions

Related: Google Removes Inline Installation of Chrome Extensions

Original author: Ionut Arghire