When you install an add-on in your web browser, it may ask permission to access certain personal data, like what websites you visit now and which websites you've visited in the past. These add-ons are supposed to only ask for the data that's essential for them to function, but we've seen instances within the last year where Google and Mozilla have had to shut down add-ons over privacy issues, sometimes individually, and sometimes in batches.
Recently, Duo, the makers of a two-factor authentication app for Android and iOS (not to be confused with Google Duo, the video chat app) developed a piece of software it calls CRXcavator, which is designed to examine a Chrome browser add-on from multiple angles, in the interest of evaluating the integrity of its security, and some of the results are unsettling.
Over 75 percent of them also lacked a support site, and nearly one-third contained third-party programming code that's known to have security flaws.
Duo says that there are over 180,000 add-ons in the Chrome Web Store, and CRXcavator processed 120,463 of them in January. But the company adds, "CRXcavator scans the full Chrome Web Store on an ongoing basis, making it easier than ever for analysts to review and stay updated on the extensions their organization has allowed or are considering allowing."
The CRXcavator is currently available in a public beta; right now, anyone can look up a Chrome extension and see its "Risk Score," though it's not entirely clear what a given number is supposed to indicate, as the scale is not shown, only a raw number.
FOLLOW Download.com on Twitter for all the latest app news.
The CRXcavator tool searches according to the ID code of the addon. To get this info, go to chrome://extensions in your Chrome browser and click the Developer Mode slider in the upper right to reveal the ID for each of your add-ons, which you can copy-and-paste into the CRXcavator search box.
(The search box may say that no matches are found, but clicking on the Submit button should produce a result.)
If you use an add-on that appears to be missing a lot of disclosure and contact info, this might be the right time to find an alternative, or to figure out a way to do without it.
- The makers of the Duo two-factor authentication app have released a public beta of a Chrome browser security inspection tool they call CRXcavator.
- How to use password manager apps and browser add-ons in 2019
- Firefox Review: Here's why you should switch to this free, secure, and hecka cool web browser
- Google to improve Chrome extension security with new add-on rules
- 7 security tips to stop apps from stealing your data (CNET)
- GAO gives Congress go-ahead for a GDPR-like privacy legislation (ZDNet)
- 3 things businesses need to know about customer privacy expectations (TechRepublic)