Browser security

How do malicious browser extensions work?

In short

A malicious browser extension abuses the broad access users grant at install - reading pages, cookies, and requests - to steal data or inject content. The dangerous ones often start clean and turn malicious through an update.

What access does an extension actually have?

With host permissions like <all_urls>, an extension can read and change every page you visit. A content script runs in the page and can read forms, cookies, and the DOM. The background service worker handles events and network calls. That access is legitimate for real tools and devastating in the wrong hands.

How do malicious extensions evade review?

Manifest V3 forbids remotely hosted code, but attackers smuggle it back: fetching instructions on a timer and evaluating them, or stripping Content-Security-Policy through declarativeNetRequest to allow injection. Others ship clean, pass review, and add the payload in a later update.

The December 2024 Cyberhaven incident is the template: an OAuth consent phishing email compromised a developer's Chrome Web Store access, and a trojanized update exfiltrated cookies and session tokens from users who had already trusted the extension.

What do malicious extensions steal?

Session cookies and auth tokens (to hijack accounts without a password), keystrokes and form data, browsing history and open tabs, and - for crypto users - wallet approvals and seed phrases. Some inject ads or affiliate codes; some mine cryptocurrency in the background.

How does Extuno detect a malicious extension?

Extuno unpacks and analyzes every version with 1100+ static rules, runs it in a sandbox to capture real network and API behavior, and diffs each update so a benign extension that starts beaconing after an update is flagged with the evidence - the file, the endpoint, and the payload.

FAQ

Common questions

Are browser extensions safe?
Most are, but extensions run with broad access and can turn malicious through an update or an ownership change. Treat each update as a new review, not a one-time decision.
What was the Cyberhaven attack?
A December 2024 supply-chain compromise in which OAuth consent phishing gave attackers Chrome Web Store access to push a trojanized extension update that stole cookies and tokens, affecting many extensions and millions of users.
How can I tell if an extension turned malicious?
Watch for new permissions on update, new outbound connections, or behavior that does not match the stated purpose. Extuno automates this by diffing versions and running each one in a sandbox.