A significantly larger percentage of extensions use third-party javascript libraries with publicly known vulnerabilities as detected by RetireJS, and a slightly larger percentage have both publicly known vulnerabilities and can read your data from any site, as shown in the chart below. Although this may seem like a significant increase, it may just be a consequence of RetireJS finding new vulnerabilities in existing extensions over time and not a dramatic shift in the number of developers adding outdated third-party libraries to their extensions. Additionally, a larger percentage provide users with a privacy policy and a support site to contact.
We’ve scanned around 42,000 new Chrome extensions over the past two years and found that overall, a smaller percentage of scanned extensions read your data on any site and cookies compared to 2019. There have been a few particularly noteworthy changes that signal a positive shift in the Chrome extension safety. Since we last compiled our metrics on the Chrome Web Store in 2019, Chrome has taken steps to improve the security of its extensions and encourage safer practices among creators. This number has since increased to 165,365 Chrome extensions and apps. State of the Web Storesīack when we first launched, we scanned 120,463 Chrome extensions to see what unsafe practices might be exposing organizations to risk. The Great Suspender was available on Microsoft Edge alongside Chrome, and in January 2020 Firefox was found to have potentially malicious add-ons. However, Chrome isn’t the only browser that allows extensions the option to access large amounts of user data. We launched CRXcavator with this exact problem in mind. This prompted Chrome to ask users to accept the new permission which alerted the community and ultimately pressured the new maintainer to revert the change. The extension stayed under the new maintainer’s control over the extension until Google blocked and removed it from the Chrome Web Store in January. The downfall of this once-trustworthy extension and the risks it was able to introduce in a short amount of time demonstrates that browser extension security is an important issue in today’s evolving threat landscape, and that users and organizations must remain vigilant.
“The Great Suspender,” as it was named, had been recently sold by its old maintainer to an unknown third party with malicious intent the new maintainers added potentially malicious code and a new permission. Earlier this year, a browser extension used by millions of users was removed from the Chrome Web Store for containing malware. Why Extension Security?īrowser extensions have an incredible amount of access to user data and, if not properly accounted for, can quickly become a security blindspot. We’ve also updated the user interface to ensure consistency across reports. This enables the tool to provide up-to-date security assessments with a potential risk score, alerting the user to possible red flags and risks that extensions may introduce. This addition greatly expands the scope and accessibility of the tool and more thoroughly secures users. CRXcavator will now continuously scan the Firefox add-on and Edge extension store as it does for Chrome, generating and updating CRXcavator reports for all extensions, as well as scanning for newly-added ones as they become available.
Security teams at organizations such as Lyft and Datadog have adopted the tool as part of their security strategies researchers have used CRXcavator to help Google uncover and take down hundreds of malicious extensions and hundreds of thousands of security conscious users have utilized the tool to in their personal and professional lives to improve their security posture.Īfter democratizing extension security for Chrome, we are thrilled to announce a major update to CRXcavator that adds support for Mozilla Firefox and the beta version of Microsoft Edge Add-ons site.
Over the last two years, CRXcavator has helped make the browser ecosystem safer and more transparent by providing developers, users, and organizations with consistent and consumable information regarding potential extension security risks. Originally released as a Duo Labs project, CRXcavator is now provided by the same team within Cisco Secure.
Two years ago, we released CRXcavator (pronounced crux-cavator), a free tool that examines the security hygiene and risks of Chrome extensions, looking at criteria such as permissions and security policy, and empowers users to make informed decisions about the extensions they use. Duo Labs May 5th, 2021 Jacob Rickerd Peter Jackson Lillian Lu Josephine Sulimin Cisco Secure Democratizes Extension Security for Firefox and Edge