You can now see if Chrome extensions are safe with Duo’s free, new CRXcavator tool

Free-to-use tool provides some additional insight into Chrome extensions across an entire organization before users install.

We recently covered how admin can manage Chrome extensions within the enterprise. Google’s approach is based on permissions, but what if you want to go deeper? One aspect that the tools often don’t cover is around determining whether an individual extension is safe. That’s left up to admins to make the call and with so many extensions out there, that could be a difficult, time-consuming job—plus, if the Chrome Web Store is tricked often enough, what hope do busy admins have?

Thankfully, Duo thought of this problem and came up with a tool that admins can use to automate the vetting process: CRXcavator.

Free-to-use Duo Security tool

Duo debuted CRXcavator in public beta in February after initially developing it for internal use. CRXcavator operates similarly to mobile app reputation services that some mobile threat defense vendors offer: Assess the security stance of a Chrome extension and provide a risk score. CRXcavator generates the score by reviewing a set list of criteria: extension metadata, physical address, email, privacy policy, support website, last updated, user ratings, number of users, content security policy, external JavaScript, vulnerabilities discovered by RetireJS, and a permissions breakdown (including optional ones).

CRXcavator then generates a numerical risk score as well as a report for admin, breaking the score out through several sections, including ones breaking down the above criteria. The report also:

  • Creates a graph showing the risk score over time for different versions of the extension
  • Shows potential external communication (a beta feature that “guess[es] at where an extension is making connections”)
  • Shows all external JavaScript files included in the extension (admins can use this to track all JavaScript files to monitor any potential changes to the extension)
  • Displays the results of a Facebook ThreatExchange scan
  • Shows entry points and dangerous functions within the extension (i.e., methods an attacker could inject code into the extension)
  • Related and whitelisted related extensions (admins can see if an already approved extension could serve as an alternative)

On the backend, CRXcavator scans the Chrome Web Store every three hours, running on AWS Lambda to handle the extension review process.

One nice aspect is that admin can use CRXcavator to help identify web addresses the Chrome extensions talk with to potentially build policies against them. However, due to how extensions work, this is only currently possible if the extension developer included a Content Security Policy and defined the “connect-src,” neither of which is required by Google right now.

CRXcavator Gatherer
In addition to CRXcavator, Duo released a couple Chrome extensions that help supplement the services the main solution provides.

Admins can install CRXcavator Gatherer onto organization endpoints to see all the extensions currently in use. This can make it easy to vet extensions and decide what ones might be worth removing. The CRXcavator Gatherer extension also allows users to request approval for new extension—this can even be done when browsing the Chrome Web Store (the extension will inform users when an extension they’re looking at isn’t whitelisted yet). 

crxcavator chrome extension

Admins can review whitelist extension requests via the CRXcavator dashboard, but Duo also included WebHook functionality. This way, admin can review requests through other applications (like Zendesk), instead of yet another console.

CRXcavator Admin
The second Chrome extension scrapes G Suite console to provide a list of all the organization’s whitelisted extensions. According to the Chrome Web Store page, the lack of G Suite integration with CRXcavator is due to Google not publishing APIs related to Chrome extensions in G Suite. I reached out to Google, but they don’t have anything to share about opening up the APIs at the moment.

Hopefully, Google eventually changes their stance. At Google Cloud Next 2019, Jack sat down with Cyrus Mistry, group product manager, who talked about wanting to make it easier for EMMs to work with Google Chrome APIs, so we’ll keep an eye out for future news.

Roadmap and final thoughts

I asked about roadmap plans and Josh Yavor, head of corporate security at Duo, said that they’re in “learning mode,” seeing how customers use it and the feedback they provide. Duo will keep developing CRXcavator but plans to collect user feedback before deciding what to do next. And, while CXRcavator is currently designed to work with G Suite, Duo encourages admins to write their own integrations since it’s an API-first model. It would be cool to see if they could add in the ability to block domains based on what CRXcavator sees it communicating with, providing further isolation around extensions.

Using CRXcavator in conjunction with managing Chrome extensions via permissions and runtime actions can make it easier on admins to review and protect users. Not everything CRXcavator considers for the risk score is necessarily indicative of a dangerous extension, but it allows admins to make an informed decision without having to spend a ton of time researching each extension that users want.

You can see that there are a lot of places they could take CRXcavator, and we have a lot of ideas for features they could add. But, no matter what, considering how much power extensions can have, we like seeing Duo come out with a tool to better protect users and organizations. This seems like the type of thing other security vendors—especially MTD vendors—would be interested in. We’ll definitely be keeping an eye on this space to see how CRXcavator develops and what similar tools other vendors might release.

Dig Deeper on Application management

Virtual Desktop