How do malicious browser extensions work?
A malicious browser extension abuses the broad access users grant at install - reading pages, cookies, and requests - to steal data or inject content. The dangerous ones often start clean and turn malicious through an update.
What access does an extension actually have?
With host permissions like <all_urls>, an extension can read and change every page you visit. A content script runs in the page and can read forms, cookies, and the DOM. The background service worker handles events and network calls. That access is legitimate for real tools and devastating in the wrong hands.
How do malicious extensions evade review?
Manifest V3 forbids remotely hosted code, but attackers smuggle it back: fetching instructions on a timer and evaluating them, or stripping Content-Security-Policy through declarativeNetRequest to allow injection. Others ship clean, pass review, and add the payload in a later update.
The December 2024 Cyberhaven incident is the template: an OAuth consent phishing email compromised a developer's Chrome Web Store access, and a trojanized update exfiltrated cookies and session tokens from users who had already trusted the extension.
What do malicious extensions steal?
Session cookies and auth tokens (to hijack accounts without a password), keystrokes and form data, browsing history and open tabs, and - for crypto users - wallet approvals and seed phrases. Some inject ads or affiliate codes; some mine cryptocurrency in the background.
How does Extuno detect a malicious extension?
Extuno unpacks and analyzes every version with 1100+ static rules, runs it in a sandbox to capture real network and API behavior, and diffs each update so a benign extension that starts beaconing after an update is flagged with the evidence - the file, the endpoint, and the payload.