Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Duo Security Digs Into Chrome Extension Security With CRXcavator

    By
    SEAN MICHAEL KERNER
    -
    February 21, 2019
    Share
    Facebook
    Twitter
    Linkedin
      Duo Security CRXcavator

      Do you know if the Chrome browser extensions that are being used across your enterprise are a potential risk? That’s a question that until today wasn’t as easy to answer as it should have been.

      Cisco’s Duo Security business unit is announcing the public beta of a new tool called CRXcavator on Feb. 21 that will make it easier for organizations to take inventory of the Chrome extensions running across their enterprise, understand what if any risk they pose and then link that to a policy for secure deployment. As part of the effort to build CRXcavator, Duo also looked at more than 120,000 Chrome extensions to discover potential security concerns and risks.

      “While we did analyze data from the Chrome Web Store, our focus was on trying to learn more about the security properties of the larger browser extension ecosystem and position that information in a way that provided value to organizations and individuals,” Josh Yavor, senior manager of corporate security at Duo Security, told eWEEK. “The problem we’re trying to solve here is that it’s really difficult for any individual or organization to look at any given Chrome extension and decide whether or not the risk that the extension brings is acceptable.”

      CRX is an acronym for “ChRome eXtension,” and what the CRXcavator is doing is digging for information. Chrome Extensions provide added functionality to the Chrome web browser, which can run on Windows, macOS, Linux and Chromebook devices.

      Over the course of January 2019, Duo scanned 120,463 Chrome extensions and apps and found a number of issues that could represent risk. Across the scanned Chrome extensions 38,289 included third-party code libraries that had publicly known vulnerabilities.

      Perhaps even worse is how many Chrome Extensions don’t properly make use of Content Security Policy (CSP) settings. CSP is a configuration setting that is intended to help prevent Cross Site Scripting (XSS) security vulnerabilities. Duo found that 95,000 extensions have support for CSP, though 78 percent of them have not defined an actual CSP policy. Without a policy, CSP is not effective and data can potentially be sent or shared anywhere.

      The Duo researchers also looked at Oauth authentication grants that could provide access to the user’s logged identity from a site, though that wasn’t a core focus for the initial research.

      “Whether or not the browser is signed in doesn’t matter too much to the Chrome extension because Chrome extensions can request access to your cookies and by that take control of the session,” Steve Edwards, manager of corporate security engineering, told eWEEK. “One of the risks that we call out is when Chrome extensions are requesting access to all of your cookies.”

      How It Works

      There are multiple elements to CRXcavator, with users starting off first at the landing page to search different extensions to see what the potential risk might be.

      In demo shown to eWEEK, Jacob Rickerd, security engineer at Duo, explained that the analysis shows a risk breakdown for a given extension across different categories. The breakdown identifies known vulnerabilities and also shows how risk changes over time as an extension is developed.

      Another key area of the analysis is the permissions section, which outlines what permissions an extension has and the potential risk of those permissions. The analysis also identifies any dangerous functions that are found within an extension.

      The whole system can also be used by organizations to set up a whitelist of allowed extensions and then tied together with a policy for Chrome that runs in an enterprise. 

      Serverless

      Scanning all the Chrome Extensions on a regular basis is no small task. Rather than build out a large virtual server infrastructure, Duo made use of the serverless AWS Lambda cloud service. With serverless, which is also sometimes referred to as functions-as-a-service, events trigger different function calls as needed, instead of having a long-running server.

      “We are obsessed with AWS Lambda here, and almost everything in CRXcavator is serverless,” Rickerd said.

      The only component of CRXcavator that is not serverless is the actual database. Rickerd explained that there is one Lambda function for running the core API that makes calls back and forth to the database. Another set of Lambda functions is used to dig into Chrome Extensions to find vulnerabilities and conduct the analysis.

      No Commercial Tool, Yet

      The CRXcavator is not a commercial product at this time and as a beta tool is freely available.

      “Our goal here is to create a capability where there has not been any capability really historically before and because this is the first time anyone is trying to do something like this, it’s a learning experience for us,” Yavor said. “We’re really curious to see how people consume this.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×