According to Duo Security, a third of the extensions available for Google’s Chrome web browser have serious and potentially damaging security flaws. The company outlays the problem in a recent blog post: Democratizing Chrome Extension Security
Essentially, extension developers either are clueless when it comes to developing secure solutions, they are just lazy, or in some cases, could be delivering secret but devastating payloads on purpose.
Duo Security also uses the blog post to announce a beta product called CRXcavator. The online tool allows you to submit a Chrome extension ID so it can scan to and report its security status.
With the recent announcement by Microsoft to begin utilizing Chromium for its own Edge browser – which will include Chrome extension support – the topic of extension security becomes even more important to address.
Even “official” Extensions shouldn’t be trusted. According to the CRXcavator tool, the Amazon Assistant Extension has its own minor, but potential problems.
How do you find the Extension ID?
In the Chrome Web Store, access an Extensions page and pull the ID from the URL…