Study Revealed How Chrome Extensions Are Deceiving Its Users

One-Third of the 120,000 Google Chrome extensions ask for permission to access data of any website visited, according to a recent research.

Last month, a US-based cyber-security company, Duo Labs along with its new web service CRXcavator, carried out the survey. Its studies the 120,463 Chrome extensions and apps were analyzed wholly.

Researchers found that what kind of requests are made by the extensions for users, the communication of extensions with external domains and whether they use vulnerable libraries or not. It was also recorded that whether they access OAuth2 data, and check CSP (Content Security Policy) header. Or is there any privacy policy or authors mentioned by these extensions.

The research revealed that around 85 percent of the extensions do not have a defines Privacy Policy, which means they do not have made clear through a legal document that how they will be using the data of the users.
Also Read: Beware Of The New Technique Used By Cyber Criminals To Steal Payment Data
It also said that 77 percent of the Chrome extensions have not listed support site, whereas third-party JavaScript libraries with common vulnerabilities are being used by 32 percent of extensions. As well, 9 percent of them access and read cookie files.

Duo Labs has also launched CRXcavator Gatherer Chrome Extension, for enterprise use. Once installed on the computer of the employee, it will let System administrators check what extensions have been installed by their employee. The data extracted is then transferred to the administrators account on the CRXcavator portal. System administrators can see if the extensions used are secure or not. Based on it, they can allow or discontinue the use of that extension in their network.

This extension not only tell about the risks of other extensions used but can also put restrictions on employees and they will have to ask for permission before installing any extension.

Chrome is largely exploited by the cybercriminals, and because of it, enterprises want to control the extensions used by employees. At times, criminals buy extension which is not more maintained by the developers. They then use it for spear-phishing attacks on the users who have installed those extensions by placing malicious codes.

All companies need to keep special on the extensions being used by their employees as they can be risky and can lead to online fraud.

People can check the results of the study carried out by the firm on the CRXcavator web page. It shares information about the extension that has been analyzed by the researchers and also let you submit extension ID if you want to know any other extension that has not been studied during this study.

Democratizing Chrome Extension Security - infographic

Read Next: Here Is How You Can Protect Your Business From All Hacking Trends (infographic)

No comments:

Post a Comment