A third party Chrome extension wants access to all user data

Get a free Techzine subscription!

More than a third of all extensions for Google Chrome ask users to access all their data on any site. A recent study into the more than 120,000 Chrome extensions has shown this to be the case. Roughly 85 percent of these extensions appear to have no further privacy policy.

Last month, the research team of the American cyber security company Duo Labs conducted an extensive investigation into the more than 120,000 extensions that can be found in the Chrome Web Store. The researchers did this with the help of a new web service that they developed: the CRXcavator. The service scanned and analysed all Chrome extensions and apps.

Extensive research

The study looked, among other things, at the permissions that extensions require from users. The researchers also looked at the external domains with which the extensions communicate, whether they use vulnerable archives, whether they have access to OAuth2 data, Content Security Policy (CSP) headers and whether the extension contained information about the privacy policy and the developer himself.

The results of that research were made available today on the CRXcavator web portal. There users can see what happens to their favorite extension. The research shows that one third of the extensions require access to all activities of users on the Internet. Furthermore, 77 percent of the extensions did not refer to a support site. Also, 32 percent included a JavaScript archive that contained publicly known vulnerabilities, and 9 percent of the extensions were able to access cookies.

Business extension

Duo Labs today also launches its own extension: the CRXcavator Gatherer Chrome extension. It is designed for business use and can be installed by system administrators on a user’s device. The extension then collects information about all other extensions on a device, as well as the associated security risks.

This enables organizations to know exactly which extensions are being used, who is using them and what risks they entail, according to the researchers at Duo Labs in a statement. CRXcavator Gatherer also offers the possibility for staff to ask permission to install a certain extension. This must be the case, because this kind of thing is one of the many safety risks that companies have to deal with.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.