Malicious browser extensions stay a major blind spot for a lot of organizations’ cybersecurity groups. They’ve turn into a everlasting fixture within the cybercriminal arsenal, used for session and account theft, espionage, masking different legal exercise, advert fraud, and cryptocurrency theft. Excessive-profile incidents involving malicious extensions are frequent — starting from the compromise of the Cyberhaven safety extension to the mass publication of infostealer extensions.
Extensions are interesting to attackers as a result of they’re granted permissions and wide-ranging entry to data inside SaaS functions and web sites. As a result of they’re not standalone functions, they typically slip previous customary safety insurance policies and management instruments.
An organization’s safety workforce should sort out this drawback systematically. Managing browser extensions requires a mixture of coverage administration instruments and specialised extension-analysis companies or utilities. This matter was the main focus of Athanasios Giatsos’ speak on the Safety Analyst Summit 2025.
Menace capabilities of internet extensions and improvements in Manifest V3
A browser’s internet extension has broad entry to internet web page data: it could learn and modify any information obtainable to the person by means of the online utility, together with monetary or medical data. Extensions additionally typically acquire entry to necessary information usually unseen by customers: cookies, native storage, and proxy settings. This significantly simplifies session hijacking. Generally, the capabilities of extensions prolong far past internet pages: they will entry the person’s location, browser downloads, desktop display screen seize, clipboard content material, and browser notifications.
Within the beforehand dominant extension structure, Manifest V2 extensions — which labored throughout Chrome, Edge, Opera, Vivaldi, Firefox, and Safari — are nearly indistinguishable from full-fledged functions by way of capabilities. They’ll constantly run background scripts, preserve invisible internet pages open, load and execute scripts from exterior web sites, and talk with arbitrary websites to retrieve or ship information. To curb potential abuse — in addition to to restrict advert blockers — Google transitioned Chromium and Chrome to Manifest V3. This replace restricted or blocked many extension options. Extensions should now declare all of the websites they impart with, are prohibited from executing dynamically loaded third-party code, and should use short-lived micro-services as a substitute of persistent background scripts. Whereas some varieties of assaults at the moment are tougher to execute as a result of new structure, attackers can simply rewrite their malicious code to retain most important capabilities whereas sacrificing stealth. Subsequently, relying solely on browsers and extensions working underneath Manifest V3 inside a company simplifies monitoring, however is just not a panacea.
Moreover, V3 doesn’t tackle the core drawback with extensions: they’re usually downloaded from official utility shops utilizing reliable Google, Microsoft or Mozilla domains. Their exercise seems to be initiated by the browser itself, making it extraordinarily troublesome to tell apart actions carried out by an extension from these manually executed by the person.
How malicious extensions emerge
Drawing from numerous public incidents, Athanasios Giatsos highlights a number of eventualities the place malicious extensions can rear their ugly heads:
- The unique developer sells a reliable and standard extension. The customer then “enhances” it with malicious code for advert show, espionage, or different nefarious functions. Examples embody The Nice Suspender and Web page Ruler.
- Attackers compromise the developer’s account and publish a trojanized replace for an present extension, as was the case with Cyberhaven.
- The extension is designed to be malicious from the start. It both masquerades as a useful utility, similar to a pretend Save to Google Drive software, or mimics the names and designs of standard extensions, like the handfuls of AdBlock clones obtainable.
- A extra refined model of this scheme entails initially publishing the extension in a clear state, the place it performs a genuinely helpful perform. Malicious additions are then launched weeks and even months later, as soon as the extension has gained sufficient recognition. ChatGPT for Google is one instance.
In all these eventualities, the extension is broadly obtainable within the Chrome Internet Retailer and generally even marketed. Nonetheless, there’s additionally a focused assault situation the place phishing pages or messages immediate victims to put in a malicious extension that’s not obtainable to most people.
Centralized distribution by means of the Chrome Internet Retailer, mixed with automated updates for each the browser and extensions, typically ends in customers unknowingly ending up with a malicious extension with none effort on their half. If an extension already put in on a pc receives a malicious replace, it is going to be put in robotically.
Organizational defenses in opposition to malicious extensions
In his speak, Athanasios supplied plenty of basic suggestions:
- Undertake an organization coverage relating to the usage of browser extensions.
- Prohibit any extensions not explicitly included in an inventory authorized by the cybersecurity and IT departments.
- Constantly audit all put in extensions and their variations.
- When extensions are up to date, monitor adjustments in permissions they’re granted, and monitor any adjustments within the possession of the extensions or their developer workforce.
- Incorporate details about the dangers of, and guidelines for, utilizing browser extensions into safety consciousness coaching packages for all workers.
We add a couple of sensible insights and particular issues to those suggestions.
Restricted checklist of extensions and browsers. Along with making use of safety insurance policies to the corporate’s formally authorized browser, it’s essential to ban the set up of transportable variations and fashionable AI browsers like Comet or different unauthorized options that permit the identical harmful extensions to be put in. When implementing this step, be certain that native administrator privileges are restricted to the IT employees and different personnel whose job duties strictly require them.
As a part of the coverage for the corporate’s foremost browser, you must disable developer mode and prohibit the set up of extensions from native information. For Chrome, you may handle this through the Admin console. These settings are additionally obtainable by means of Home windows Group Insurance policies, macOS configuration profiles, or through a JSON coverage file on Linux.
Managed updates. Implement model pinning to forestall updates for allowed extensions from being put in company-wide instantly. The IT and cybersecurity groups have to frequently check new variations of authorized extensions and pin the up to date variations solely after they’ve been vetted.
Multi-layered protection. It’s obligatory to put in an EDR agent on all company units to forestall customers from launching unauthorized browsers, mitigate the dangers of visiting malicious phishing websites, and block malware downloads. It’s additionally vital to trace DNS requests and browser community visitors on the firewall stage for real-time detection of communications with suspicious hosts and different anomalies.
Steady monitoring. Use EDR and SIEM options to gather browser state particulars from worker workstations. This contains the checklist of extensions in every put in browser, together with the manifest information for model and permission evaluation. This enables for the fast detection of recent extensions being put in or the model being up to date and granted permission adjustments.
Methods to vet browser extensions
To implement the controls mentioned above, the corporate wants an inner database of authorized and prohibited extensions. Sadly, utility shops and the browsers themselves supply no mechanisms to evaluate threat on an organizational scale, or to robotically populate such an inventory. Subsequently, the cybersecurity workforce has to create each this course of and the checklist. Workers may even want a proper process for submitting requests so as to add extensions to the authorized checklist.
The evaluation of enterprise want and obtainable options is finest carried out with a consultant from the related enterprise unit. Nonetheless, the chance evaluation stays totally the accountability of the safety workforce. It’s not essential to manually obtain extensions and cross-reference them throughout totally different extension shops. This job may be dealt with by a variety of instruments, similar to open-source utilities, free on-line companies, and business platforms.
Providers like Spin.AI and Koidex (previously ExtensionTotal) can be utilized to gauge the general threat profile. Each preserve a database of standard extensions, so evaluation is often immediate. They use LLMs to generate a quick abstract of the extension’s properties, but in addition present detailed evaluation, together with required permissions, the developer’s profile, and the historical past of variations, scores, and downloads.
To look at core information on extensions, you can too use Chrome-Stats. Whereas primarily designed for extension builders, this service shows scores, critiques, and different retailer information. Crucially, it permits customers to straight obtain the present and several other earlier variations of an extension, which simplifies incident investigation.
You may make use of instruments like CRX Viewer for a deeper evaluation of suspicious or mission-critical extensions. This software permits analysts to look at the extension’s inner elements, conveniently filtering and displaying the contents with an emphasis on the HTML and JavaScript code.
