In the process of creating a free tool that analyzes Chrome extensions and creates security reports, Duo analyzed 120,000 applications and extensions in the Chrome Web Store, and the results are disturbing. The duo discovered that 35% of Chrome apps and extensions have access to data on any site you visit. Nearly 32% use third-party libraries with known vulnerabilities, and 77% do not have a support site.
As Duo points out in his blog post, people often grant extensions without much consideration, and no matter how well-intentioned those approvals do, they bring nothing good if the extension is purchased or hacked by a malicious third party. This is nothing new and impossible, since in October, the Chrome extension developers were the target of a massive phishing attack, in which hackers tried to access credentials for signing in to Google developer accounts.
Google has taken steps to improve Chrome’s security by blocking Chrome plug-ins that are installed outside its web store and by setting extensions policies that aim to improve privacy and security. However, Duo’s data shows that there is still a lot to be done. In the meantime, you will probably want to avoid using Chrome extensions that are not well-known and reputable developers, or first check their security guidelines.