Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Duo Security Digs Into Chrome Extension Security With CRXcavator

    By
    Sean Michael Kerner
    -
    February 21, 2019
    Share
    Facebook
    Twitter
    Linkedin
      Duo Security CRXcavator

      Do you know if the Chrome browser extensions that are being used across your enterprise are a potential risk? That’s a question that until today wasn’t as easy to answer as it should have been.

      Cisco’s Duo Security business unit is announcing the public beta of a new tool called CRXcavator on Feb. 21 that will make it easier for organizations to take inventory of the Chrome extensions running across their enterprise, understand what if any risk they pose and then link that to a policy for secure deployment. As part of the effort to build CRXcavator, Duo also looked at more than 120,000 Chrome extensions to discover potential security concerns and risks.

      “While we did analyze data from the Chrome Web Store, our focus was on trying to learn more about the security properties of the larger browser extension ecosystem and position that information in a way that provided value to organizations and individuals,” Josh Yavor, senior manager of corporate security at Duo Security, told eWEEK. “The problem we’re trying to solve here is that it’s really difficult for any individual or organization to look at any given Chrome extension and decide whether or not the risk that the extension brings is acceptable.”

      CRX is an acronym for “ChRome eXtension,” and what the CRXcavator is doing is digging for information. Chrome Extensions provide added functionality to the Chrome web browser, which can run on Windows, macOS, Linux and Chromebook devices.

      Over the course of January 2019, Duo scanned 120,463 Chrome extensions and apps and found a number of issues that could represent risk. Across the scanned Chrome extensions 38,289 included third-party code libraries that had publicly known vulnerabilities.

      Perhaps even worse is how many Chrome Extensions don’t properly make use of Content Security Policy (CSP) settings. CSP is a configuration setting that is intended to help prevent Cross Site Scripting (XSS) security vulnerabilities. Duo found that 95,000 extensions have support for CSP, though 78 percent of them have not defined an actual CSP policy. Without a policy, CSP is not effective and data can potentially be sent or shared anywhere.

      The Duo researchers also looked at Oauth authentication grants that could provide access to the user’s logged identity from a site, though that wasn’t a core focus for the initial research.

      “Whether or not the browser is signed in doesn’t matter too much to the Chrome extension because Chrome extensions can request access to your cookies and by that take control of the session,” Steve Edwards, manager of corporate security engineering, told eWEEK. “One of the risks that we call out is when Chrome extensions are requesting access to all of your cookies.”

      How It Works

      There are multiple elements to CRXcavator, with users starting off first at the landing page to search different extensions to see what the potential risk might be.

      In demo shown to eWEEK, Jacob Rickerd, security engineer at Duo, explained that the analysis shows a risk breakdown for a given extension across different categories. The breakdown identifies known vulnerabilities and also shows how risk changes over time as an extension is developed.

      Another key area of the analysis is the permissions section, which outlines what permissions an extension has and the potential risk of those permissions. The analysis also identifies any dangerous functions that are found within an extension.

      The whole system can also be used by organizations to set up a whitelist of allowed extensions and then tied together with a policy for Chrome that runs in an enterprise. 

      Serverless

      Scanning all the Chrome Extensions on a regular basis is no small task. Rather than build out a large virtual server infrastructure, Duo made use of the serverless AWS Lambda cloud service. With serverless, which is also sometimes referred to as functions-as-a-service, events trigger different function calls as needed, instead of having a long-running server.

      “We are obsessed with AWS Lambda here, and almost everything in CRXcavator is serverless,” Rickerd said.

      The only component of CRXcavator that is not serverless is the actual database. Rickerd explained that there is one Lambda function for running the core API that makes calls back and forth to the database. Another set of Lambda functions is used to dig into Chrome Extensions to find vulnerabilities and conduct the analysis.

      No Commercial Tool, Yet

      The CRXcavator is not a commercial product at this time and as a beta tool is freely available.

      “Our goal here is to create a capability where there has not been any capability really historically before and because this is the first time anyone is trying to do something like this, it’s a learning experience for us,” Yavor said. “We’re really curious to see how people consume this.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×