Latest in Gear

Image credit: Nathan Ingraham

85 percent of Chrome apps and extensions lack a privacy policy

Data reveals just how insecure your Chrome extensions are.
295 Shares
Share
Tweet
Share
Save

Sponsored Links

Nathan Ingraham

There's a good chance you use or have used Chrome, so there's good reason for you to be disturbed by new data from Duo Security that shows just how vulnerable the 180,000-plus Chrome apps and extensions are. For starters, 85 percent of them don't have a privacy policy, meaning developers can essentially handle your data however they want.

In the process of building a free tool that analyzes Chrome extensions and produces security reports, Duo analyzed 120,000 apps and extensions in the Chrome Web Store, and the results are unsettling. Duo found that 35 percent of Chrome apps and extensions can read data on any site you visit. Nearly 32 percent use third-party libraries with known vulnerabilities, and 77 percent have no support site.

As Duo points out in its blog post, people often grant permissions to extensions without much consideration -- and however well intentioned those permissions are, they do little good if an extension is purchased or hacked by a malicious third party. That's not unheard of. In October, Chrome extension developers were the target of a mass phishing attack, in which hackers tried to access login credential for developers' Google accounts.

Since permissions alone don't give a full picture of the security properties of an extension, Duo's new extension tool also builds a list of sites each extension's code likely makes external requests to, analyzes third-party Javascript libraries for vulnerabilities, analyzes each extension content security policy and more. The company details how the tool works on its blog.

Google has taken steps to improve Chrome security, blocking Chrome extensions installs outside of its Web Store and setting extension rules aimed at improving privacy and security. But Duo's data shows there's still a lot of work to be done. In the meantime, you'll probably want to avoid using Chrome extensions that aren't from well-known and reputable developers, or at least check their security policies first.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
295 Shares
Share
Tweet
Share
Save

Popular on Engadget

The 2019 Engadget Holiday Gift Guide

The 2019 Engadget Holiday Gift Guide

View
Intel unveils its first chips built for AI in the cloud

Intel unveils its first chips built for AI in the cloud

View
Disney+ cuts off 'Simpsons' jokes with widescreen episodes

Disney+ cuts off 'Simpsons' jokes with widescreen episodes

View
Apple may reveal its 16-inch MacBook Pro tomorrow

Apple may reveal its 16-inch MacBook Pro tomorrow

View
Elon Musk: Berlin 'gigafactory' will build Teslas starting with the Model Y

Elon Musk: Berlin 'gigafactory' will build Teslas starting with the Model Y

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr