This tool allows you to check the code powering Chrome extensions

Automation can help with the laborious but important work of tracking the third-party code used by extensions.
chrome extension
(Stephen Shankland / Flickr)

Browser extensions, like any other piece of software, can be abused or manipulated by hackers for malicious purposes. Duo Security wants to make it harder for that to happen.

The company on Thursday released a beta version of a tool, CRXcavator, that screens extensions for Google Chrome, the world’s most popular web browser, for malicious code.

“As our portal to the internet, browsers represent what is likely the largest common attack surface across consumers and businesses alike,” the Cisco-owned company said in a blog post.

Extensions are handy for navigating the web, and some even offer important security features, but they can also allow third parties access a lot of user data. The new tool takes a stab at that security challenge by letting a user enter a Chrome extension and then returning a risk score for the application based on the permissions it grants on a computer.


Tracking the third-party code used by an extension, along with its functionality and ownership, is laborious but important work that analysts say is much more feasible through automation.

The challenge gets even thornier if an attacker buys an extension from a developer or hacks that person’s account, as the Duo Security executives pointed out.

“The third party could add malicious code and push the new version out to existing users without triggering another security review,” the blog post says. “Manually reviewing every update to extensions allowed in an organization’s domain is not feasible for most security teams.”

The free Duo service creates “a list of sites that the extension’s code likely makes external requests to” and which could be laced with malware. It also analyzes third-party JavaScript libraries that are used in an extension.

“If out-of-date libraries with known security vulnerabilities persist in extensions, it is possible that these vulnerabilities could be exploited by malicious code on sites that are visited,” the Duo Security executives wrote.


While Duo credited Google for recently bolstering extension security, there is plenty of progress to be made. Duo scanned more than 120,000 Chrome extensions and apps in January and found that over 30 percent of them use third-party libraries that have known vulnerabilities.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts