Browser extensions are tools that help with spelling/grammar, finding deals, storing passwords, or blocking ads; users don’t consider helpful tools being malicious in any form at all. Have you installed one of these “productivity” plugins or extensions without looking carefully into the tool’s characteristics? If you haven’t wondered or checked, you’re not alone. The vast majority of people don’t check a browser extension’s security; however, not worrying about this could put you at significant risk. A recent experience and some additional research done by CyberHoot staff showed just how dangerous extensions can be.
A Search For The Perfect Word
One of the concerns around Chrome extensions is what information is going where? After installing Grammarly recently to help with sentence construction, CyberHoot went looking for a thesaurus to help with word selection. We wanted to delight our readers with excellent word choices. The most popular thesaurus in Google’s extension, was ‘Power Thesaurus’, with 192 five-star reviews. On the surface, this extension looked excellent but, always being the cybersecurity-focused company, we dug a little deeper. Upon closer inspection, some concerns arose based upon the screenshot below:
This software developer is in Russia. By itself, that is only a concern because of the historical nature of viruses and malware written in Russia. Power Thesaurus could be an excellent and perfectly safe plugin, but how could we check to be sure? Trust but verify is CyberHoot’s mantra. This got us thinking more and researching how dangerous extensions can be to our computer security. Read on to learn what we found out.
What Harm Can Come From A Chrome Extension?
In the worst case, a malicious Chrome extension can deploy malware to your computer. In other cases, extensions share your search data, credentials, and personal data with 3rd parties putting your privacy at great risk. In fact, research by Awake Security proved to Google that 108 Chrome extensions, downloaded 32 million times, were stealing private data from unsuspecting users and sending that data to 3rd parties. Google subsequently removed those extensions from their store. CyberHoot now wanted to know, can we do our own research on an extension to see if it is safe and not rely blindly on Google? We found a tool that might help you out in making these decisions.
The Tool: CRXcavator By Duo Security
Duo is more commonly known for its industry leading two-factor authentication solutions. However, their security researchers developed a tool to review and rate Chrome extension security that was so good they released it to the public here.
CRXcavator automatically scans the entire Chrome Web Store every 3 hours and produces a quantified risk score for each Chrome Extension based on several factors,” the company explains. These factors include:
- Permissions
- Presence of potentially dangerous functions and possible entry points
- Inclusion of vulnerable third-party JavaScript libraries
- Weak (or non-existent) content security policies
- Missing details from the Chrome Web Store description
- Which sites the extension’s code likely makes external requests to, and more.
Did CyberHoot Find A Suitable Thesaurus?
Every thesaurus we ran through CRXcavator turned up scores that raised our eyebrows. “Power Thesaurus” showed some concerns over permissions to access what we were writing, but the tool couldn’t work without that access. In the end, we ended up installing a different thesaurus with similar access and permission.
Concluding Thoughts On Extensions
It’s important to do your due diligence when installing extensions. Search the web to see if there are any concerning reports about it. CyberHoot recommends reviewing your extensions with Duo’s CRXcavator tool and reviewing the findings to make an informed decision about what you are comfortable running on your computer and what you aren’t. Reducing the number of extensions you run in your browser will improve browser performance and possibly your overall security as well.