{"id":29747,"date":"2025-11-18T16:59:29","date_gmt":"2025-11-18T16:59:29","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/chrome-extension-security-validation\/29747\/"},"modified":"2025-11-18T16:59:29","modified_gmt":"2025-11-18T16:59:29","slug":"chrome-extension-security-validation","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/chrome-extension-security-validation\/29747\/","title":{"rendered":"Browser extensions: never trust, always verify"},"content":{"rendered":"

Malicious browser extensions remain a significant blind spot for many organizations\u2019 cybersecurity teams. They\u2019ve become a permanent fixture in the cybercriminal arsenal, used for session and account theft, espionage, masking other criminal activity, ad fraud, and cryptocurrency theft. High-profile incidents involving malicious extensions are frequent \u2014 ranging from the compromise of the Cyberhaven security extension<\/a> to the mass publication of infostealer extensions<\/a>.<\/p>\n

Extensions are appealing to attackers because they\u2019re granted permissions and wide-ranging access to information within SaaS applications and websites. Because they\u2019re not standalone applications, they often slip past standard security policies and control tools.<\/p>\n

A company\u2019s security team must tackle this problem systematically. Managing browser extensions requires a combination of policy management tools and specialized extension-analysis services or utilities. This topic was the focus of Athanasios Giatsos\u2019 talk at the Security Analyst Summit 2025<\/a>.<\/p>\n

Threat capabilities of web extensions and innovations in Manifest V3<\/h2>\n

A browser\u2019s web extension has broad access to web page information: it can read and modify any data available to the user through the web application, including financial or medical records. Extensions also often gain access to important data typically unseen by users: cookies, local storage, and proxy settings. This greatly simplifies session hijacking. Sometimes, the capabilities of extensions extend far beyond web pages: they can access the user\u2019s location, browser downloads, desktop screen capture, clipboard content, and browser notifications.<\/p>\n

In the previously dominant extension architecture, Manifest V2 extensions \u2014 which worked across Chrome, Edge, Opera, Vivaldi, Firefox, and Safari \u2014 are virtually indistinguishable from full-fledged applications in terms of capabilities. They can continuously run background scripts, keep invisible web pages open, load and execute scripts from external websites, and communicate with arbitrary sites to retrieve or send data. To curb potential abuse \u2014 as well as to limit ad blockers<\/a> \u2014 Google transitioned Chromium and Chrome to Manifest V3. This update limited or blocked many extension features. Extensions must now declare all the sites they communicate with, are prohibited from executing dynamically loaded third-party code, and must use short-lived micro-services instead of persistent background scripts. While some types of attacks are now harder to execute due to the new architecture, attackers can easily rewrite their malicious code to retain most necessary functions while sacrificing stealth. Therefore, relying solely on browsers and extensions operating under Manifest V3 within an organization simplifies monitoring, but is not a panacea.<\/p>\n

Furthermore, V3 doesn\u2019t address the core problem with extensions: they\u2019re generally downloaded from official application stores using legitimate Google, Microsoft or Mozilla domains. Their activity appears to be initiated by the browser itself, making it extremely difficult to distinguish actions performed by an extension from those manually executed by the user.<\/p>\n

How malicious extensions emerge<\/h2>\n

Drawing from various public incidents, Athanasios Giatsos highlights several scenarios where malicious extensions can rear their ugly heads:<\/p>\n