New Service Scans Chrome Extensions for Vulnerabilities and Privacy Risks

Over the past few years, hackers have increasingly abused Google Chrome extensions to steal people’s data, inject rogue ads into websites or hijack CPU power to mine cryptocurrency. Now, a new online scanning service aims to shed more light on the risks associated with browser extensions.

Called CRXcavator, from the .crx file type used by Google Chrome extensions, the service allows users or company IT staff to search extensions by their unique ID or name and review their risk score before approving their installation.

The service was created by security engineers from Cisco Systems-owned Duo Security and is still in beta stage. Even so, the scanner analyzes various aspects of an extension that could impact the user’s security, including the presence of a valid privacy policy, its permissions and its dependencies and presents a comprehensive security report.

“These extensions are often overlooked when it comes to assessing the security of user endpoints, even though they have increasing access to personal and corporate data with the widespread usage of Software-as-a-Service (SaaS) tools for presentations, taxes or email clients,” the Duo Security engineers said in a blog post.

Even if an extension is not intentionally malicious, it can still contain vulnerabilities in its own code or the code of its dependencies and some of these flaws can be exploited by malicious websites or by malicious code injected into legitimate websites.

In addition, an extension that is safe today, might not be safe tomorrow. There have been cases where malicious actors have intentionally acquired extensions from their original developers then added rogue code to them. This makes the manual review of every extension by enterprise security teams a nearly impossible task.

“The set of permissions an extension requests gives a good indicator of how concerned a reviewer might need to be, so CRXcavator is built on understanding the implications of the various permissions that are available for an extension to request,” the researchers said. “We have categorized and assigned an objective numerical risk score to each permission to help a security team have a metric to use when triaging extension analysis.”

In addition, the service will list the websites that the extension makes external requests to and will check those against blacklists. It will also analyze third-party JavaScript libraries for vulnerabilities and the extension’s Content Security Policy (CSP). It will scan for potentially dangerous functions that could let attackers in and will list extension metadata such as the number of users and the presence of links to privacy and support pages.

In January, Duo scanned 120,463 Chrome extensions and apps and found that almost a third of them used JavaScript libraries with publicly known vulnerabilities. Also, 85 percent did not have a privacy policy listed and 77 percent did not have a support site listed.

In addition to that, 94,059 extensions “do not have default-src or connect-src in the CSP defined,” the researchers said. “These are the parts of the CSP that give developers the ability to restrict which external resources the extensions can access and where the extensions can send the data they collect.”

Adobe Takes Another Stab at Patching PDF Callback Exploit

Adobe Systems has released a new update for Adobe Reader and Acrobat in less than two weeks to fix a vulnerability that allows attackers to obtain NTLM credentials by simply tricking users into opening PDF files.

The vulnerability, tracked as CVE 2019-7089, was discovered and publicly disclosed in January by researcher Alex Inführ on his blog. It consists of abusing the xml-stylesheet feature of the XML Form Architecture (XFA), an XML structure that’s used to define forms and other elements inside a PDF, in order to automatically send information to a remote SMB or WebDAV server without user interaction.

The technique can be used to steal hashed credentials for NTLMv2, the authentication mechanism used on Windows networks and is very similar to a different technique disclosed last year called BadPDF.

Adobe released a patch for this vulnerability on Patch Tuesday, Feb. 12, but shortly after, Inführ found a way to bypass the patch and notified the company. Adobe released a new patch last week to address the bypass, so companies should upgrade to the latest Reader and Acrobat versions as soon as possible.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin