Duo Security Digs Into Chrome Extension Security With CRXcavator

EXCLUSIVE: Cisco's Duo Security division is launching the CRXcavator effort to help individuals and organizations identify and limit the impact of potentially risky Google Chrome web browser extensions.

Duo Security CRXcavator

Do you know if the Chrome browser extensions that are being used across your enterprise are a potential risk? That's a question that until today wasn't as easy to answer as it should have been.

Cisco's Duo Security business unit is announcing the public beta of a new tool called CRXcavator on Feb. 21 that will make it easier for organizations to take inventory of the Chrome extensions running across their enterprise, understand what if any risk they pose and then link that to a policy for secure deployment. As part of the effort to build CRXcavator, Duo also looked at more than 120,000 Chrome extensions to discover potential security concerns and risks.

"While we did analyze data from the Chrome Web Store, our focus was on trying to learn more about the security properties of the larger browser extension ecosystem and position that information in a way that provided value to organizations and individuals," Josh Yavor, senior manager of corporate security at Duo Security, told eWEEK. "The problem we're trying to solve here is that it's really difficult for any individual or organization to look at any given Chrome extension and decide whether or not the risk that the extension brings is acceptable."

CRX is an acronym for "ChRome eXtension," and what the CRXcavator is doing is digging for information. Chrome Extensions provide added functionality to the Chrome web browser, which can run on Windows, macOS, Linux and Chromebook devices.

Over the course of January 2019, Duo scanned 120,463 Chrome extensions and apps and found a number of issues that could represent risk. Across the scanned Chrome extensions 38,289 included third-party code libraries that had publicly known vulnerabilities.

Perhaps even worse is how many Chrome Extensions don't properly make use of Content Security Policy (CSP) settings. CSP is a configuration setting that is intended to help prevent Cross Site Scripting (XSS) security vulnerabilities. Duo found that 95,000 extensions have support for CSP, though 78 percent of them have not defined an actual CSP policy. Without a policy, CSP is not effective and data can potentially be sent or shared anywhere.

The Duo researchers also looked at Oauth authentication grants that could provide access to the user's logged identity from a site, though that wasn't a core focus for the initial research.

"Whether or not the browser is signed in doesn't matter too much to the Chrome extension because Chrome extensions can request access to your cookies and by that take control of the session," Steve Edwards, manager of corporate security engineering, told eWEEK. "One of the risks that we call out is when Chrome extensions are requesting access to all of your cookies."

How It Works

There are multiple elements to CRXcavator, with users starting off first at the landing page to search different extensions to see what the potential risk might be.

In demo shown to eWEEK, Jacob Rickerd, security engineer at Duo, explained that the analysis shows a risk breakdown for a given extension across different categories. The breakdown identifies known vulnerabilities and also shows how risk changes over time as an extension is developed.

Another key area of the analysis is the permissions section, which outlines what permissions an extension has and the potential risk of those permissions. The analysis also identifies any dangerous functions that are found within an extension.

The whole system can also be used by organizations to set up a whitelist of allowed extensions and then tied together with a policy for Chrome that runs in an enterprise. 


Scanning all the Chrome Extensions on a regular basis is no small task. Rather than build out a large virtual server infrastructure, Duo made use of the serverless AWS Lambda cloud service. With serverless, which is also sometimes referred to as functions-as-a-service, events trigger different function calls as needed, instead of having a long-running server.

"We are obsessed with AWS Lambda here, and almost everything in CRXcavator is serverless," Rickerd said.

The only component of CRXcavator that is not serverless is the actual database. Rickerd explained that there is one Lambda function for running the core API that makes calls back and forth to the database. Another set of Lambda functions is used to dig into Chrome Extensions to find vulnerabilities and conduct the analysis.

No Commercial Tool, Yet

The CRXcavator is not a commercial product at this time and as a beta tool is freely available.

"Our goal here is to create a capability where there has not been any capability really historically before and because this is the first time anyone is trying to do something like this, it's a learning experience for us," Yavor said. "We're really curious to see how people consume this."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.