logo

Malicious Browser Extensions are the Next Frontier for Identity Attacks

Security

Google Chrome over a red background

The recent attack campaign targeting browser extensions shows that malicious browser extensions are the next frontier for identity attacks.

More than 2.6 million users across thousands of organizations worldwide learned this the hard way, just before the New Year, when they found out that their cookies and identity data were exposed as part of an attack campaign exploiting browser extensions.

The attack initially came to light when data security company Cyberhaven disclosed that an attacker had compromised its browser extension and injected it with malicious code to steal users’ Facebook cookies and authentication tokens.

However, once news about the Cyberhaven exposure became public, additional compromised extensions were quickly discovered. Currently, over thirty-five browser extensions are known to have been compromised, with additional ones still being found.

Most compromised extensions have since published updated versions to remove the malicious code or have been pulled from the Chrome Store altogether.

So while the immediate threat (at least by most extensions) seems to have been contained, it sheds a spotlight on the identity risks posed by browser extensions, and the lack of awareness that many organizations have about this risk. (LayerX is now offering a complimentary service to audit and remediate organizations' exposure - to sign-up click here).

The Identity Threat From Within

Usage of browser extensions is ubiquitous in most organizations. According to data by LayerX, approximately 60% of corporate users have browser extensions installed on their browsers.

While many browser extensions have legitimate uses, such as correcting your spelling, finding discount coupons, and jotting down notes, they are also frequently granted extensive access permissions to sensitive user data such as cookies, authentication tokens, passwords, browsing data, and more.

Browser extension permissions are governed by APIs provided by browser providers such as Google, Microsoft, or Mozilla. When a browser extension is first installed, it will typically list the permissions it is requesting and ask for approval from the user (although there are some permissions that are provided by default and do not require explicit permission by the user). 

Key information that extensions can access through such APIs include:

  • Cookies: access to read/write/modify the user’s cookies, which can be used for website authentication. It appears that in this incident, cookies were the primary objective of the compromised browser extensions

  • Identities: access to the user’s identity and profile

  • Browsing history: view the user’s browsing history and see where they’ve been

  • Browsing data: see the URL the user is browsing to and see all browsing meta-data

  • Passwords: many extensions have sufficient permissions to view plaintext passwords as they are being submitted to websites as part of web requests before the web session encrypts them

  • Web page content: visibility into all web page data across all open tabs, so it can potentially copy data from internal system otherwise not accessible online

  • Text input: track every keystroke on a web page, just like a keylogger

  • Audio/video capture: access the computer’s microphone and/or camera

Although most browser extensions don’t have access to all of these permissions, many extensions do have access to some (or many) of these permissions.

Indeed, according to LayerX data, 66% of browser extensions have ‘high’ or ‘critical’ -level permissions granted to them, and 40% of users have extensions with high/critical -level permission scope installed on their computers.

Compromise or malicious exploitation of browser extensions with such extensive permissions can result in a myriad of vulnerabilities and attack vectors:

  • Credential theft: theft of identities and/or passwords logged by the extension

  • Account takeover: using stolen cookies or credentials, and using them to log-in as the verified user

  • Session hijacking: using stolen cookies or access tokens for session authentication

  • Data theft: capturing data submitted to web pages, or capturing it directly via the user’s keyboard, microphone, or camera

Organizations face even more severe risks when employees freely install browser extensions on corporate endpoints without oversight or controls, since attackers who steal corporate credentials through compromised extensions can compromise not just the user’s personal accounts, but also organizational systems and access sensitive corporate data, potentially leading to widespread data exposure. 

This risk amplifies across the organization as more employees install unvetted extensions that could serve as entry points for credential theft and subsequent system compromise.

A Strategic Framework for CISOs to Mitigate Extension Risks

In light of the recent attacks targeting extensions, security leaders must implement comprehensive strategies to address this often-overlooked threat vector. Here's how organizations can develop a systematic approach to managing browser extension risks across their environment:

  1. Audit all extensions: The foundation of any browser extension security program begins with comprehensive visibility. Security teams must conduct thorough audits to identify all extensions present across their corporate environment. This proves particularly challenging in organizations with permissive browser and extension installation policies, yet remains essential for understanding the full scope of potential exposure.

  2. Identify Risky Categories: Extension categorization emerges as the next critical step, particularly given recent attack patterns targeting specific types of extensions. The latest campaigns have demonstrated a clear focus on productivity tools, VPN solutions, and AI-related extensions. This targeting isn't random - attackers strategically choose extension categories that either command large user bases (like productivity tools) or possess extensive system permissions (like VPN extensions that require network access rights).

  3. Enumerate permission scope: Understanding the precise permissions granted to each extension provides crucial context for security teams. This detailed permission mapping reveals what corporate data and systems each extension can potentially access. For instance, a seemingly benign productivity extension might have concerning levels of access to sensitive corporate data or browsing activities.

  4. Assess risk: Risk assessment becomes possible once organizations have mapped both extension presence and permissions. An effective assessment framework should evaluate two key dimensions: technical risk (based on permission scope and potential access) and trust factors (including publisher reputation, user base size, and distribution method). These elements should be weighted to produce actionable risk scores for each extension.

  5. Apply controls: The culmination of this framework lies in implementing contextual security controls. Organizations can craft nuanced policies based on their risk appetite and operational requirements. For example, security teams might choose to block extensions requesting cookie access, or implement more sophisticated rules - such as restricting high-risk AI and VPN extensions while allowing trusted ones.

While browser extensions undeniably enhance workplace productivity, the recent attack campaigns highlight the urgent need for robust security measures. Security leaders must recognize that unmanaged browser extensions represent a significant and growing attack surface. 

To help organizations implement a strategy for securing their browser extensions, LayerX is offering a comprehensive guide on extension risks and actionable measures for remediating risks from malicious extensions.

Click here to download the guide

A Free Audit to Assess Extension Risk

In addition, LayerX is offering a complimentary audit of organizations’ extension risk.

The audit includes discovering browser extensions installed on the organization’s endpoint, detecting compromised extensions, and actively remediating malicious extensions. 

For organizations found to be impacted by the recent attack campaign that exposed browser extensions, LayerX is also offering remediation efforts such as rotating user cookies and passwords that may have been exposed.

Click here to sign up for the complimentary audit.

Sponsored and written by LayerX.

Cybercriminals Don't Care About National Cyber Policy

Name That Edge Toon: Greetings and Salutations

Free online web security scanner

Top News:

New AI Jailbreak Method 'Bad Likert Judge' Boosts Attack Success Rates by Over 60%

New AI Jailbreak Method 'Bad Likert Judge' Boosts Attack Success Rates by Over 60%

 January 3, 2025
Cloud Atlas Deploys VBCloud Malware: Over 80% of Targets Found in Russia

Cloud Atlas Deploys VBCloud Malware: Over 80% of Targets Found in Russia

 December 27, 2024
Windows Server 2025 released—here are the new features

Windows Server 2025 released—here are the new features

 November 5, 2024
Malicious Obfuscated NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT

Malicious Obfuscated NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT

 January 2, 2025
Cross-Domain Attacks: A Growing Threat to Modern Security and How to Combat Them

Cross-Domain Attacks: A Growing Threat to Modern Security and How to Combat Them

 January 2, 2025
PLAYFULGHOST Delivered via Phishing and SEO Poisoning in Trojanized VPN Apps

PLAYFULGHOST Delivered via Phishing and SEO Poisoning in Trojanized VPN Apps

 January 4, 2025