In the process of building a free tool that analyzes Chrome extensions and produces security reports, Duo analyzed 120,000 apps and extensions in the Chrome Web Store, and the results are unsettling. Duo found that 35 percent of Chrome apps and extensions can read data on any site you visit. Nearly 32 percent use third-party libraries with known vulnerabilities, and 77 percent have no support site.
As Duo points out in its blog post, people often grant permissions to extensions without much consideration -- and however well intentioned those permissions are, they do little good if an extension is purchased or hacked by a malicious third party. That's not unheard of. In October, Chrome extension developers were the target of a mass phishing attack, in which hackers tried to access login credential for developers' Google accounts.
Google has taken steps to improve Chrome security, blocking Chrome extensions installs outside of its Web Store and setting extension rules aimed at improving privacy and security. But Duo's data shows there's still a lot of work to be done. In the meantime, you'll probably want to avoid using Chrome extensions that aren't from well-known and reputable developers, or at least check their security policies first.