(Credit: Jaaak/Shutterstock)

When you install an add-on in your web browser, it may ask permission to access certain personal data, like what websites you visit now and which websites you've visited in the past. These add-ons are supposed to only ask for the data that's essential for them to function, but we've seen instances within the last year where Google and Mozilla have had to shut down add-ons over privacy issues, sometimes individually, and sometimes in batches.

And according to a report by Duo that was spotted by ZDNet, there may be more shenanigans going on behind the scenes, thanks to what appears to be a chronic lack of documentation.

SEE: 5 Google Docs tricks that will boost your writing productivity

Recently, Duo, the makers of a two-factor authentication app for Android and iOS (not to be confused with Google Duo, the video chat app) developed a piece of software it calls CRXcavator, which is designed to examine a Chrome browser add-on from multiple angles, in the interest of evaluating the integrity of its security, and some of the results are unsettling.

Among other things, CRXcavator attempts to determine what websites an extension is likely to communicate with (independently of the user's browsing activity), and it also checks for the presence of a privacy policy. Within the group of add-ons that CRXcavator processed, nearly 85 percent of them had no publicly available privacy policy of any kind.

Over 75 percent of them also lacked a support site, and nearly one-third contained third-party programming code that's known to have security flaws.

Duo says that there are over 180,000 add-ons in the Chrome Web Store, and CRXcavator processed 120,463 of them in January. But the company adds, "CRXcavator scans the full Chrome Web Store on an ongoing basis, making it easier than ever for analysts to review and stay updated on the extensions their organization has allowed or are considering allowing."

The CRXcavator is currently available in a public beta; right now, anyone can look up a Chrome extension and see its "Risk Score," though it's not entirely clear what a given number is supposed to indicate, as the scale is not shown, only a raw number.

FOLLOW Download.com on Twitter for all the latest app news.

But you can click the entry to get a detailed breakdown of what specific elements are influencing the score, and to check if the extension has a privacy policy, support site and contact info.

The CRXcavator tool searches according to the ID code of the addon. To get this info, go to chrome://extensions in your Chrome browser and click the Developer Mode slider in the upper right to reveal the ID for each of your add-ons, which you can copy-and-paste into the CRXcavator search box.

(The search box may say that no matches are found, but clicking on the Submit button should produce a result.)

If you use an add-on that appears to be missing a lot of disclosure and contact info, this might be the right time to find an alternative, or to figure out a way to do without it.


  • The makers of the Duo two-factor authentication app have released a public beta of a Chrome browser security inspection tool they call CRXcavator.
  • The makers of Duo estimate that a whopping 85 percent of Chrome add-ons have no privacy policy, in which case their users have no written guarantees about the private data that these add-ons may be collecting.

Read more

Tom McNamara is a Senior Editor for CNET's Download.com. He mainly covers Windows, mobile and desktop security, games, Google, streaming services, and social media. Tom was also an editor at Maximum PC and IGN, and his work has appeared on CNET, PC Gamer, MSN.com, and Salon.com. He's also unreasonably proud that he's kept the same phone for more than two years.