Evaluating Chrome Extension Security

19 November, 2023 T3w9d9Qr 0 Comments

Google Chrome Extension Security Check

Chrome extensions can have access to a user’s sensitive data. Extensions are also susceptible to cyberattacks.

During the installation workflow, many users grant permissions to an extension without much consideration. This is why it is crucial for IT teams to evaluate the risk of every extension before allowing them on their managed devices.

Check for Vulnerabilities

Chrome extensions are small plugin apps that reside inside a browser and can extend its capabilities. These apps can add a wide variety of functionalities to Google Chrome like password management, bookmark storage and translation services. But, they can also expose users to hackers who could intercept user information and personal data.

To help prevent this from happening, it is important to check for vulnerabilities in extension code before installing them. Chrome extensions are built on web technology and JavaScript so, unless they’ve been obfuscated, the code is usually readable.

The best way to verify an extension’s security is by checking its developer’s legitimacy and looking at the description on the Chrome Web Store. The description should include a full list of permissions that the extension is granted and explain what it can do with your data. It should also note whether it’s collecting or transferring information to external servers. This way, you can evaluate the risk level of the extension’s functionality and decide whether or not to grant it access.

Check for Injections

The Google Web Store vets extensions for security issues before they can be approved. But attackers are able to trick this process with relatively little effort.

Once a malicious extension is installed, it can do anything from collecting browsing data to stealing user credentials. This is why it’s important for teams to review extensions regularly, not just when they first download them, but also after updates are pushed out.

One of the best ways to evaluate if an extension is safe is by looking at its source code. This can reveal whether there are risky or dangerous snippets of code that may expose users to malware and phishing attacks. It can also help teams determine whether an extension’s permissions level are appropriate for their work environment. Luckily, Duo Labs has just released a new tool that can automate this review and scan the full Chrome Web Store on an ongoing basis: CRXcavator. Duo is proud to partner with Google as a Chrome Enterprise customer to bring this tool to life and make it easier for teams to stay on top of their extensions.

Check for Cross-site Scripting

As extensions allow people to give them more and more permissions it’s important that they don’t steal data or otherwise violate users privacy. The prudent enterprise security team would evaluate every new extension before allowing it to enter the install workflow but that’s probably unrealistic.

For example the fun extension Meow, The Cat Pet was promoted in Chrome’s “Fun” section and had 200 thousand installs but had a Cross-site Scripting vulnerability that could let malicious websites inject arbitrary JavaScript code into Web pages visited by users of the extension. A one time visit from a malicious website was all it took to compromise a user’s browser integrity permanently.

It’s also worth looking at whether the extension has a professionally made website which gives it credibility and enables you to find if there are more details about the extension online. Also check whether it uses blob:// URLs for downloads which can be used to expose the contents of a PDF file or other sensitive information.

Check for Malware

Extensions often ask for a wide range of permissions to function. A prudent enterprise security team would evaluate every permission request before allowing the user to finish the extension install flow. But the reality is that this type of review is impractical for most organizations.

An extension’s functionality can change over time, and a malicious third party may be able to add malware or risky code snippets. This is one reason why Duo Labs recommends checking an extension’s reviews and the extension source code before installing it.

Chrome 117 will include a new feature that will alert users when an extension they previously installed has been unpublished by its developer, taken down for violating Chrome Web Store policies, or marked as malware. This is a great tool for helping to keep the browser and its extensions free of malware. It’s also a reminder to regularly check and update existing extensions to prevent them from becoming outdated and vulnerable to hackers.

Redirect to the main interface

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Ashley M. Arwood 

Ashley M. Arwood is a remarkable figure in the tech industry, a passionate advocate for innovation and equality. With a diverse background that blends technology, social justice, and entrepreneurship, Ashley has made a significant impact on the way we perceive and interact with the ever-evolving digital world. Her journey is not just one of professional success but a testament to the power of tenacity, creativity, and the unwavering commitment to making the tech world a more equitable place.