More than a third of all Google Chrome extensions ask users for permission to access and read all their data on any website, a recent survey of over 120,000 Chrome extensions has revealed.
More security news
- Splunk pulls out of Russia with mysterious statement
- You have around 20 minutes to contain a Russian APT attack
- Apple: iPhone's Group FaceTime isn't working as it did before eavesdrop bug fix
- Google Earth accidentally reveals secret military sites
This gigantic survey was carried out last month by the research team from US cyber-security firm Duo Labs with the help of a new web service they developed and called CRXcavator.
Researchers scanned the entirety of the Chrome Web Store and analyzed the source code and Web Store listings of 120,463 Chrome extensions and apps.
The results of this study are made available today on the CRXcavator web portal , where users can check security reports about their favorite extension, or submit an extension ID and have it scanned if Duo researchers missed it during their Web Store analysis.
But Duo Labs didn't scan all Chrome extensions for no purpose at all. The company also released today the CRXcavator Gatherer Chrome extension .
This extension was developed for enterprise use. System administrators can install the extension on the PCs of company employee, and the extension will gather information on what extensins employees had each installed on their systems, and then send this data to a CRXcavator account that system administrators created in advance on the CRXcavator portal.
Sysadmins can review the CRXcavator risk score of each extensions users have installed on their systems, and allow or disallow the extension inside their networks with network-wide policies.
"This allows organizations to know exactly what extensions are being used, who is using them and how much risk is brought to the organization by their users' extensions," Duo Labs researchers said in a press release today.
But the CRXcavator Gatherer extension can also be used as a way for employees to request permission before installing a new Chrome extension. All employees have to do is to press a button and enter a reason why they need to install the new extension.
Sysadmins receive this request for installation in their CRXcavator account dashboard, can check the extension's CRXcavator risk score, and allow its installation inside their network.
The need to control what extensions employees use is a growing factor for modern enterprises. With a market share of over 60 percent, Chrome is a huge attack surface that criminal groups tend to exploit.
Criminal groups are known to buy extensions from developers who lost interest in maintaining them, and to launch spear-phishing attacks in the hopes of hijacking an extension developer's account so they can push malicious code.All the Chromium-based browsers SEE FULL GALLERY
The researcher also created a tool that lets users test if their extensions also contain vulnerable APIs that can be exploited by malicious websites. More details about Somé's work are available in a research paper entitled "EmPoWeb: Empowering Web Applications with Browser Extensions," available for download in a PDF format from here or here .
1 - 5 of 14NEXT PREV
More browser coverage:
- Google backtracks on Chrome modifications that would have crippled ad blockers
- Google Chrome 73 to officially support the multimedia keys on your keyboard
- Microsoft Edge lets Facebook run Flash code behind users' backs
- Google is running an auto-update-to-HTTPS experiment in Chrome
- Windows 10 Timeline Chrome extension has just landed from Microsoft
- Google working on new Chrome security feature to 'obliterate DOM XSS'
- What enterprises need to know about the new Chromium-based Edge TechRepublic
- Ad-blocking Brave gets memory advantage over Chrome on news websites CNET
Popular privacy browser extensions