85 percent of Chrome apps and extensions lack a privacy policy

Data reveals just how insecure your Chrome extensions are.

There's a good chance you use or have used Chrome, so there's good reason for you to be disturbed by new data from Duo Security that shows just how vulnerable the 180,000-plus Chrome apps and extensions are. For starters, 85 percent of them don't have a privacy policy, meaning developers can essentially handle your data however they want.

In the process of building a free tool that analyzes Chrome extensions and produces security reports, Duo analyzed 120,000 apps and extensions in the Chrome Web Store, and the results are unsettling. Duo found that 35 percent of Chrome apps and extensions can read data on any site you visit. Nearly 32 percent use third-party libraries with known vulnerabilities, and 77 percent have no support site.

As Duo points out in its blog post, people often grant permissions to extensions without much consideration -- and however well intentioned those permissions are, they do little good if an extension is purchased or hacked by a malicious third party. That's not unheard of. In October, Chrome extension developers were the target of a mass phishing attack, in which hackers tried to access login credential for developers' Google accounts.

Since permissions alone don't give a full picture of the security properties of an extension, Duo's new extension tool also builds a list of sites each extension's code likely makes external requests to, analyzes third-party Javascript libraries for vulnerabilities, analyzes each extension content security policy and more. The company details how the tool works on its blog.

Google has taken steps to improve Chrome security, blocking Chrome extensions installs outside of its Web Store and setting extension rules aimed at improving privacy and security. But Duo's data shows there's still a lot of work to be done. In the meantime, you'll probably want to avoid using Chrome extensions that aren't from well-known and reputable developers, or at least check their security policies first.