The Threat Nobody Is Thinking About !!

Quick question. When was the last time your security team audited your browser extensions , OR You as a normal user?

…Exactly.

While everyone is busy patching servers, hardening APIs, and arguing about zero-trust architecture in Jira , attackers have been quietly slipping malicious code directly into the browser. The one place employees spend 90% of their workday. The one place that has access to every cookie, every session token, every password field, and every HTTP request you make.

Browser extensions are the perfect malware delivery vehicle. They’re trusted by default, reviewed by nobody, and once installed ; completely invisible to your AV / EDR / Defender ..

How This Actually Works

Let’s break down what a malicious extension can actually do in plain english .

1. Stealing Session Cookies .

Modern attackers don’t want your password, because passwords have MFA BUT session cookies don’t.

When you log into Gmail, your bank, or your company’s internal tools ; the browser stores a session cookie. This cookie is basically a “I already proved i’m me” ticket. Steal it, and you can log in as that person from anywhere in the world. No password. No MFA prompt. Nothing.

A browser extension has direct access to chrome.cookies API. With the right permissions which users click through without reading ; an extension can silently export every single cookie in your browser to an attacker's server.

2. Intercepting Web Requests (The Invisible Middleman)

Extensions can hook into chrome.webRequest and see every HTTP request your browser makes, every API call, every form submission, every search query.

3. Injecting Malicious Scripts into Pages

Extensions can inject JavaScript into any webpage you visit. That means an attacker can modify what you see on your bank’s website LIKE adding a fake “confirm your card details” popup while the URL bar still shows the real domain .

This is called DOM manipulation and it’s easy to do.

4. Persistence Across Reboots

Unlike most malware that struggles to survive a reboot, extensions just stay there. Chrome re-loads them automatically every time you open the browser, so no need for registry tricks or startup scripts. The browser does the attacker’s persistence work for free.

Real-World Examples (This Isn’t Hypothetical)

The Great Suspender (2021) A beloved Chrome extension with 2 million users that suspended unused tabs to save memory. In 2021, the original developer sold it to an unknown buyer. The new owner quietly pushed an update containing tracking code and remote script execution capabilities. Two million people running malware just from a tab manager update.

DataSpii (2019) Researcher Sam Jadali discovered that several popular browser extensions with millions of combined installs were silently harvesting browsing history and leaking it to third parties. Some of these extensions had been in the Chrome Web Store for years. One was a PDF converter. The data being harvested included private links to Google Drive documents, Dropbox files, and internal company tools.

The ChromeLoader Campaign (2022) A malware campaign that disguised itself as cracked software downloads. Once installed, it loaded a Chrome extension that hijacked search results and redirected traffic through attacker-controlled pages. It was widespread enough to get a CISA advisory.

Cyberhaven Breach (2024) A supply chain attack where an attacker compromised a developer’s Google account and pushed a malicious update to Cyberhaven’s legitimate Chrome extension used by over 400,000 corporate users. The update silently stole Facebook session cookies and access tokens. Security companies are not immune either, apparently.

Why Antivirus Won’t Save You

Here’s the uncomfortable truth.

Your EDR and antivirus are largely blind to browser extension activity.

Extensions run inside the browser’s sandbox, they don’t write to disk in suspicious ways OR make unusual system calls, just they use the browser’s own APIs which are totally legitimate.

From the OS’s perspective, it’s just Chrome doing Chrome things.

Traditional security tools are looking for process injection, suspicious executables, weird network connections from system32. They’re not watching for a JSON payload being sent to api.extension.com from inside your browser.

This is why extension-based attacks are so attractive and the detection gap is massive .

Tools to Audit and Defend

For Detection & Analysis

• CRXcavator : Analyzes Chrome extensions for risky permissions and flags suspicious ones .
• ExtAnalysis : Open-source tool that lets you locally analyze the source code of any browser extension. Unpack it, read it, and find the nasty bits .

For Enterprise Defense

• Chrome Browser Cloud Management : Google’s built-in free tool to allow/block specific extensions across your entire org via policy.

→ https://chromeenterprise.google/browser/management/

For Manual Reverse Engineering

• Download any extension as a .crx file, rename it to .zip, unzip it, and read the JavaScript. That's it, that's the whole trick, because extensions aren't compiled ; they're just JavaScript sitting in a folder.
• Look for: chrome.cookies, chrome.webRequest, fetch() calls to external URLs, eval(), and obfuscated variable names. Any of those in a "simple productivity tool" should raise eyebrows.

A Practical Checklist for Security Teams

• Audit all extensions installed across company devices most MDM tools can pull this list
• Block installation of extensions from outside the Chrome Web Store OR Your Browser Store (at minimum)
• Better yet ; maintain an allowlist of approved extensions only
• Review permissions when installing anything. “Read and change all your data on all websites” is not a permission a calculator extension needs
• Treat extensions like third-party software ; because that’s exactly what they are

The Permissions Red Flag List

When you see these permission requests slow down:

• tabs : can read your open tabs and URLs
• cookies : can read and modify all cookies
• webRequest / webRequestBlocking : can intercept and modify network traffic
• storage : can store data persistently
• scripting / content_scripts on <all_urls> : can inject code into every website

One or two of these in a niche tool might be legitimate. All of them in a “dark mode for YouTube” extension? Run.

Further Reading & Resources

• OWASP Browser Security Cheat Sheet → https://cheatsheetseries.owasp.org/cheatsheets/Browser_Security_Cheat_Sheet.html
• The DataSpii investigation by Sam Jadali (full writeup) → https://samjadali.com/dataspii
• Google’s official extension permission documentation → https://developer.chrome.com/docs/extensions/mv3/declare_permissions/
• CISA Alert on ChromeLoader → https://www.cisa.gov/news-events/cybersecurity-advisories
• “Malicious Browser Extensions” : Kaspersky threat report : Kaspersky browser extension threat report 2023

The scariest part of browser extension attacks isn’t how sophisticated they are. It’s how simple they are. An attacker doesn’t need a zero-day. They don’t need to bypass your firewall. They just need you to click “Add to Chrome.”

And you will. Because it has 4.8 stars and 800,000 users.

At least, it did last week.