A third of Chrome extensions use libraries with known vulnerabilities, a handy new tool finds

Credit: ID 133470916 © Gekaskr |

Researchers at Cisco-owned Duo Security have discovered extensions in Google’s Chrome Web Store are riddled with security bugs and privacy risks that probably make them unfit for business.  

The good news is that admins can now use the same tool Duo did to quickly assess whether a particular Chrome extension should or should definitely not be whitelisted for use on an organization’s network and devices. 

That tool, CRXcavator (CHrome eXtension excavator), is currently in beta and promises to address a bottleneck security teams may face in vetting Chrome extensions and risky permissions. It could also allow organizations to take a finer-grained, risk-based approach to extensions rather than banning them outright. 

Extensions in the Chrome Web Store now exceed 180,000 and the sheer number of them that employees may want to use on Chrome would likely make it difficult for a security team to vet every extension on staff wishlists. Extensions can also change over time. Scammers have in the past acquired popular extensions from developers and made them rogue. And occasionally extension developer accounts get hacked too. 

Duo researchers in January used CRXcavator to scan 120,463 extensions and apps in the Chrome Web Store. What it uncovered is ugly and should prompt admins to review what extensions are running in Chrome on corporate devices.