Connect with us

Hi, what are you looking for?



New Service From Cisco’s Duo Labs Analyzes Chrome Extensions

Duo Labs, part of Cisco-owned Duo Security, has launched a new service designed to analyze Chrome extensions and deliver security reports on them. 

Duo Labs, part of Cisco-owned Duo Security, has launched a new service designed to analyze Chrome extensions and deliver security reports on them. 

Dubbed CRXcavator and released in beta, the tool seeks to provide consumers and enterprise users alike with actionable intelligence on the large number of available Chrome extensions by scanning the Chrome Web Store on an ongoing basis. 

The tool can analyze extension permissions and their implications and also evaluates extensions from several other angles. 

Although Chrome users are asked to approve permissions for installed extensions, many people grant permissions without much consideration, a risky behavior when installing extensions in enterprise environments. Security teams, however, usually lack the capabilities of investigating extensions. 

 “We have categorized and assigned an objective numerical risk score to each permission to help a security team have a metric to use when triaging extension analysis,” Duo explains. 

The service looks at sites the extension’s code likely makes external requests to and also identifies domains the extension can communicate with. It also analyzes third-party JavaScript libraries for vulnerabilities and lets users look into the code of externally included JavaScript files. 

CRXcavator also scans for potentially dangerous functions and possible “entry points” for attackers, adds extension metadata to generated reports, and identifies related extensions to help analysts find alternatives to shady or risky extensions. 

Advertisement. Scroll to continue reading.

“With all these perspectives included, a CRXcavator report equips a security operations analyst to make a well-informed decision about whether to allow or block an extension,” Duo says.

The service also provides users with the option of creating accounts and linking them to groups. Enterprises can leverage these groups to manage Chrome extension whitelists, set threat intelligence keys, gain visibility into extensions used within their environments, and more. 

Furthermore, CRXcavator provides users with the option to request approval for extensions that haven’t been included in an enterprise’s whitelist. 

After scanning the Chrome Web Store in January 2019, the security firm discovered and processed 120,463 extensions and apps, many containing various issues, such as the lack of a listed privacy policy (84.7%) or support site (77.3%), or the use of vulnerable third-party libraries (31.8%).

Most of the 95k extensions in the Web Store that support Content Security Policies (99%) do not have default-src or connect-src in the CSP defined (these allow developers restrict the external resources the extension can access). In fact, 78.3% do not have a CSP defined, Duo says

Related: Google Tightens Rules for Chrome Extensions

Related: Google Removes Inline Installation of Chrome Extensions

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.