Researchers
The experts released a beta version of the CRXcavator allows to analyze the permissions associated with Chrome extensions, along with many other features, and their implications.
Extensions have access to powerful functionality within the context of a browser that could be abused by threat actors, for this reason, it is important for end-user to discover malicious Chrome extensions and legitimate, benign extensions affected by security issues.
“The set of permissions an extension
“We have categorized and assigned an objective numerical risk score to each permission to help a security team have a metric to use when triaging extension analysis,”.
The service lists externally included JavaScript files and allows to view their source code from within the report, it also scans for potentially dangerous functions and possible “entry points.”
“With all these perspectives included, a CRXcavator report equips a security operations analyst to make a well-informed decision about whether to allow or block an extension,” continues Duo Labs.
In January 2019, the experts made a scan of the Chrome Web Store, they processed 120,463 extensions and apps, and discovered that many of them contained various issues. Most common issued were the lack of a listed privacy policy (84.7%), the support site (77.3%), or the use of vulnerable
Most of the extensions in the Web Store that support Content Security Policies (99%) do not have default-src or connect-src in the CSP defined (these allow developers restrict the external resources the extension can access). Experts pointed out that 78.3% of them do not have a CSP defined,
“
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Chrome extensions, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]