Contents

How to List Chrome Extensions Across All Mac, Windows, and Linux Devices

Using Kolide, you can easily view and query Chrome Extensions across your fleet.

Introduction

Google Chrome provides the ability to extend the core functionality of the browser via the installation of 'extensions'. Extensions may be published by Google by 3rd party authors, and can be distributed either through the Google Chrome Web Store or via manual download and installation.

A small subset of extensions are installed by default by Google (eg. Google Docs, Google Sheets, Google Slides, etc.).

Chrome extensions are installed on a per-profile basis and can be enabled or disabled while remaining installed.

Chrome Extensions can do, among other things:

Extend the functionality of Google Chrome (such as integrating with installed apps like 1Password)
Customize the appearance of Google Chrome through the installation of 'Theme' extensions

Kolide collects metadata about Chrome Extensions such as their name, their publisher, when they were installed, and whether they are enabled.

In addition to this host-specific data, Kolide enriches this information with Chrome Webstore analytics (such as rating and download count) and security advisories such as permissions risk scores.

What Chrome Extension Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Chrome Extensions from Mac, Windows, and Linux devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Chrome Extensions Schema

Column	Type	Description
id	Primary Key	Unique identifier for the object
device_id	Foreign Key	Device associated with the entry
device_name	Text	Display name of the device associated with the entry
author	Text	The author of the Chrome extension
browser_type	Enum::Text	The flavor of "Chrome" the extension originates from Can be one of the following: `chrome` `chromium` `opera` `yandex` `brave` `edge` `edge_beta`
crxcavator_report	Jsonb	The full CRXcavator JSON report
crxcavator_risk_csp_total	Integer	The Content Security Policy (CSP) risk score. More info
crxcavator_risk_metadata_total	Integer	The risk score based on the metadata embedded in the Chrome extension. More info
crxcavator_risk_permissions_total	Integer	The risk score based on the permissions requested by the Chrome extension. More info
crxcavator_risk_retire_total	Integer	The risk score from RetireJS based on severity of vulnerabilities found. More info
crxcavator_risk_total	Integer	The total risk score tallying the CSP, Retire, Metadata, Webstore, and Permissions risk scores. More info
crxcavator_risk_webstore_total	Integer	The risk score based on the info available in the Chrome Webstore. More info
crxcavator_updated_at	Timestamp	The freshness of the CRXcavator data associated with this extension
description	Text	Author supplied description of the Chrome extension
enabled	Boolean	`true` if the Chrome extension is current enabled; otherwise `false`
from_webstore	Boolean	`true` if the Chrome extension was installed from the web store; otherwise `false`
identifier	Text	The unique identifier for the Chrome extension
installed_at	Timestamp	The precise time the extension was installed at
locale	Text	Default locale supported by extension
manifest_hash	Text	The SHA256 hash of the manifest.json file
manifest_json	Jsonb	The manifest file of the extension
name	Text	The display name of the Chrome extension
optional_permissions	Text[]	The permissions optionally required by the Chrome extension. Google Chrome Developer Permissions Reference
optional_permissions_json	Jsonb	The JSON-encoded optionally required permissions by the extension
path	Text	Path to Chrome extension folder
permissions	Text[]	The permissions required by the Chrome extension. Google Chrome Developer Permissions Reference
permissions_json	Jsonb	The JSON-encoded permissions required by the extension
persistent	Boolean	`true` if the Chrome extension persists across all tabs, otherwise `false`
profile	Text	The Chrome profile that installed this extension
referenced_by_preferences	Boolean	`true` if the Chrome extension is referenced by the Preferences file of the profile; otherwise `false`
uid	Bigint	The local user that owns the extension
update_url	Text	Chrome extension-supplied update URL
webstore_icon_url	Text	The Chrome Web Store url of the icon for the Chrome extension
webstore_last_updated_at	Timestamp	The timestamp when the latest version of the extension was released in the Chrome Web Store
webstore_rating	Float	The Chrome Web Store star rating (0 - 5) for the Chrome extension
webstore_rating_users_count	Integer	The number of users who rated the Chrome extension
version	Text	The text representation of the version
version_major	Bigint	`version`'s semver major version (ex: `4.2.1` would yield `4`)
version_minor	Bigint	`version`'s semver minor version (ex: `4.2.1` would yield `2`)
version_patch	Bigint	`version`'s semver patch version (ex: `4.2.1` would yield `1`)
version_subpatch	Bigint	`version`'s numeric status fourth position number (ex: `4.2.1.6` would yield `6`)
version_pre	Text	`version`'s semver pre-release version (ex: `1.2.3-prerelease+build` would yield `pre-release`)
version_build	Text	`version`'s semver build version (ex: `1.2.3-prerelease+build` would yield `build`)
collected_at	Timestamp	Time the row of data was first collected in the database
updated_at	Timestamp	Time the row of data was last changed in the database

What Can You Do With This Information?

Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:

Find chrome extensions installed across devices by matching partial name (Grammarly)

Show Query

Search for installations of browser extension by name (1Password)

Show Query

Find chrome extensions installed across devices by matching partial name (Grammarly)

Kolide SQL

SELECT
device_name,
name AS extension_name,
version
 FROM device_chrome_extensions WHERE name ILIKE '%Grammarly%'

Example Results

version	device_name	extension_name
14.1041.0	mobius	Grammarly for Chrome
14.1051.0	Adams-iMac-Pro	Grammarly for Chrome
14.1042.0	lenovo-thinkpad-x1	Grammarly for Chrome
14.1051.0	home-box	Grammarly for Chrome

Search for installations of browser extension by name (1Password)

Kolide SQL

WITH 
collated_extensions AS (
  SELECT
    device_id,
    browser_type AS browser,
    uid, 
    name, 
    identifier, 
    version, 
    '' AS profile
  FROM device_chrome_extensions
  UNION ALL
  SELECT
    device_id,
    'firefox' AS browser,
    uid, 
    name, 
    identifier, 
    version, 
    '' AS profile
  FROM device_firefox_addons
  UNION ALL
  SELECT
    device_id,
    'safari' AS browser,
    uid, 
    name, 
    team_identifier AS identifier, 
    version, '' AS profile
  FROM mac_safari_extensions
  )
  SELECT 
    COUNT(*) AS install_count, 
    name, 
    browser, 
    identifier, 
    version 
  FROM collated_extensions 
  WHERE name ILIKE '%1password%'
  GROUP BY identifier, name, browser, version
  ORDER BY install_count DESC
  LIMIT 10

Example Results

name	browser	version	identifier	install_count
1Password – Password Manager	chrome	2.3.4	aeblfdkhhhdcdjpifhhbdiojplfjncoa	27
1Password extension (desktop app required)	chrome	4.7.5.90	aomjjhallfgjeglblehebfpbcfeobpgk	11
1Password – Password Manager	chrome	2.3.3	aeblfdkhhhdcdjpifhhbdiojplfjncoa	8
1Password – Password Manager	chrome	2.3.2	aeblfdkhhhdcdjpifhhbdiojplfjncoa	8
1Password	safari	7.9.5	2BUA8C4S2C	8
1Password	safari	7.9.2	2BUA8C4S2C	7
1Password – Password Manager	firefox	2.3.3	{d634138d-c276-4fc8-924b-40a0ea21d284}	4
1Password	safari	7.8	2BUA8C4S2C	4
1Password beta (desktop app required)	chrome	4.7.6.2	phicbbndgmmpogmijjkbmdhpioaieaha	4
1Password for Safari	safari	2.2.3	2BUA8C4S2C	3

Why Should I Collect Chrome Extensions?

Due to the high-value of a user's browser activity, Chrome is a frequent target of malware authors who wish to obtain secure details about an end-user (eg. sites they visit, credit cards they use, etc.) and its extension configuration should be regularly audited to ensure that they are not at risk of attack.

Chrome Extension installations are cataloged and tracked to facilitate a number of potential purposes, for example:

Reviewing installed extensions to verify the desired configuration of Google Chrome (eg. 1Password extension is installed)
Discovering potential malicious extensions
Identifying extensions with overreaching permissions (eg. ability to record all browsing history)

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

Extensions which you install could reveal suggestive details about your personal browsing habits if they are named after a specific service you utilize. For example:

eBay Bid Sniper
Adult Website Video Downloader
Netflix Region Unblocker
Chrome BitCoin Miner

When you use Kolide to list Chrome Extension data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.