Browser extensions, like any other piece of software, can be abused or manipulated by hackers for malicious purposes. Duo Security wants to make it harder for that to happen.
The company on Thursday released a beta version of a tool, CRXcavator, that screens extensions for Google Chrome, the world’s most popular web browser, for malicious code.
“As our portal to the internet, browsers represent what is likely the largest common attack surface across consumers and businesses alike,” the Cisco-owned company said in a blog post.
Extensions are handy for navigating the web, and some even offer important security features, but they can also allow third parties access a lot of user data. The new tool takes a stab at that security challenge by letting a user enter a Chrome extension and then returning a risk score for the application based on the permissions it grants on a computer.
Tracking the third-party code used by an extension, along with its functionality and ownership, is laborious but important work that analysts say is much more feasible through automation.
The challenge gets even thornier if an attacker buys an extension from a developer or hacks that person’s account, as the Duo Security executives pointed out.
“The third party could add malicious code and push the new version out to existing users without triggering another security review,” the blog post says. “Manually reviewing every update to extensions allowed in an organization’s domain is not feasible for most security teams.”
“If out-of-date libraries with known security vulnerabilities persist in extensions, it is possible that these vulnerabilities could be exploited by malicious code on sites that are visited,” the Duo Security executives wrote.
While Duo credited Google for recently bolstering extension security, there is plenty of progress to be made. Duo scanned more than 120,000 Chrome extensions and apps in January and found that over 30 percent of them use third-party libraries that have known vulnerabilities.