Latest in Gear

Image credit: Nathan Ingraham

85 percent of Chrome apps and extensions lack a privacy policy

Data reveals just how insecure your Chrome extensions are.
295 Shares
Share
Tweet
Share
Save

Sponsored Links

Nathan Ingraham

There's a good chance you use or have used Chrome, so there's good reason for you to be disturbed by new data from Duo Security that shows just how vulnerable the 180,000-plus Chrome apps and extensions are. For starters, 85 percent of them don't have a privacy policy, meaning developers can essentially handle your data however they want.

In the process of building a free tool that analyzes Chrome extensions and produces security reports, Duo analyzed 120,000 apps and extensions in the Chrome Web Store, and the results are unsettling. Duo found that 35 percent of Chrome apps and extensions can read data on any site you visit. Nearly 32 percent use third-party libraries with known vulnerabilities, and 77 percent have no support site.

As Duo points out in its blog post, people often grant permissions to extensions without much consideration -- and however well intentioned those permissions are, they do little good if an extension is purchased or hacked by a malicious third party. That's not unheard of. In October, Chrome extension developers were the target of a mass phishing attack, in which hackers tried to access login credential for developers' Google accounts.

Since permissions alone don't give a full picture of the security properties of an extension, Duo's new extension tool also builds a list of sites each extension's code likely makes external requests to, analyzes third-party Javascript libraries for vulnerabilities, analyzes each extension content security policy and more. The company details how the tool works on its blog.

Google has taken steps to improve Chrome security, blocking Chrome extensions installs outside of its Web Store and setting extension rules aimed at improving privacy and security. But Duo's data shows there's still a lot of work to be done. In the meantime, you'll probably want to avoid using Chrome extensions that aren't from well-known and reputable developers, or at least check their security policies first.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
295 Shares
Share
Tweet
Share
Save

Popular on Engadget

The best mobile devices for students

The best mobile devices for students

View
Lenovo’s Smart Clock becomes a more capable home hub

Lenovo’s Smart Clock becomes a more capable home hub

View
Wirecutter's best deals: Save $60 on an Acer Chromebook 11

Wirecutter's best deals: Save $60 on an Acer Chromebook 11

View
Samsung Galaxy Note 10+ review: Weird, but in a good way

Samsung Galaxy Note 10+ review: Weird, but in a good way

View
iFixit teardown takes a look inside the Note 10+ 5G

iFixit teardown takes a look inside the Note 10+ 5G

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr