Malicious Browser Extensions are the Next Frontier for Identity Attacks – BleepingComputer
Ivanti warns of new Connect Secure flaw used in zero-day attacksOver 4,000 backdoors hijacked by registering expired domainsSonicWall urges admins to patch exploitable SSLVPN bug immediatelyPowerSchool hack exposes student, teacher data from K-12 districtsThis $30 course teaches you to use ChatGPT to automate your workFake CrowdStrike job offer emails target devs with crypto minersLargest US addiction treatment provider notifies patients of data breachTurn your phone into a portable office with this iScanner dealHow to access the Dark Web using the Tor BrowserHow to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11How to use the Windows Registry EditorHow to backup and restore the Windows RegistryHow to start Windows in Safe ModeHow to remove a Trojan, Virus, Worm, or other MalwareHow to show hidden files in Windows 7How to see hidden files in WindowsRemove the Theonlinesearch.com Search RedirectRemove the Smartwebfinder.com Search RedirectHow to remove the PBlock+ adware browser extensionRemove the Toksearches.xyz Search RedirectRemove Security Tool and SecurityTool (Uninstall Guide)How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundoHow to remove Antivirus 2009 (Uninstall Instructions)How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKillerLocky Ransomware Information, Help Guide, and FAQCryptoLocker Ransomware Information Guide and FAQCryptorBit and HowDecrypt Information Guide and FAQCryptoDefense and How_Decrypt Ransomware Information Guide and FAQQualys BrowserCheckSTOPDecrypterAuroraDecrypterFilesLockerDecrypterAdwCleanerComboFixRKillJunkware Removal TooleLearningIT Certification CoursesGear + GadgetsSecurityBest VPNsHow to change IP addressAccess the dark web safelyBest VPN for YouTubeThe recent attack campaign targeting browser extensions shows that malicious browser extensions are the next frontier for identity attacks.More than 2.6 million users across thousands of organizations worldwide learned this the hard way, just before the New Year, when they found out that their cookies and identity data were exposed as part of an attack campaign exploiting browser extensions.The attack initially came to light when data security company Cyberhaven disclosed that an attacker had compromised its browser extension and injected it with malicious code to steal users’ Facebook cookies and authentication tokens.However, once news about the Cyberhaven exposure became public, additional compromised extensions were quickly discovered. Currently, over thirty-five browser extensions are known to have been compromised, with additional ones still being found.Most compromised extensions have since published updated versions to remove the malicious code or have been pulled from the Chrome Store altogether.So while the immediate threat (at least by most extensions) seems to have been contained, it sheds a spotlight on the identity risks posed by browser extensions, and the lack of awareness that many organizations have about this risk. (LayerX is now offering a complimentary service to audit and remediate organizations’ exposure – to sign-up click here).Usage of browser extensions is ubiquitous in most organizations. According to data by LayerX, approximately 60% of corporate users have browser extensions installed on their browsers.While many browser extensions have legitimate uses, such as correcting your spelling, finding discount coupons, and jotting down notes, they are also frequently granted extensive access permissions to sensitive user data such as cookies, authentication tokens, passwords, browsing data, and more.Browser extension permissions are governed by APIs provided by browser providers such as Google, Microsoft, or Mozilla. When a browser extension is first installed, it will typically list the permissions it is requesting and ask for approval from the user (although there are some permissions that are provided by default and do not require explicit permission by the user). Key information that extensions can access through such APIs include:Cookies: access to read/write/modify the user’s cookies, which can be used for website authentication. It appears that in this incident, cookies were the primary objective of the compromised browser extensionsIdentities: access to the user’s identity and profileBrowsing history: view the user’s browsing history and see where they’ve beenBrowsing data: see the URL the user is browsing to and see all browsing meta-dataPasswords: many extensions have sufficient permissions to view plaintext passwords as they are being submitted to websites as part of web requests before the web session encrypts themWeb page content: visibility into all web page data across all open tabs, so it can potentially copy data from internal system otherwise not accessible onlineText input: track every keystroke on a web page, just like a keyloggerAudio/video capture: access the computer’s microphone and/or cameraAlthough most browser extensions don’t have access to all of these permissions, many extensions do have access to some (or many) of these permissions.Indeed, according to LayerX data, 66% of browser extensions have ‘high’ or ‘critical’ -level permissions granted to them, and 40% of users have extensions with high/critical -level permission scope installed on their computers.Compromise or malicious exploitation of browser extensions with such extensive permissions can result in a myriad of vulnerabilities and attack vectors:Credential theft: theft of identities and/or passwords logged by the extensionAccount takeover: using stolen cookies or credentials, and using them to log-in as the verified userSession hijacking: using stolen cookies or access tokens for session authenticationData theft: capturing data submitted to web pages, or capturing it directly via the user’s keyboard, microphone, or cameraOrganizations face even more severe risks when employees freely install browser extensions on corporate endpoints without oversight or controls, since attackers who steal corporate credentials through compromised extensions can compromise not just the user’s personal accounts, but also organizational systems and access sensitive corporate data, potentially leading to widespread data exposure. This risk amplifies across the organization as more employees install unvetted extensions that could serve as entry points for credential theft and subsequent system compromise.In light of the recent attacks targeting extensions, security leaders must implement comprehensive strategies to address this often-overlooked threat vector. Here’s how organizations can develop a systematic approach to managing browser extension risks across their environment:Audit all extensions: The foundation of any browser extension security program begins with comprehensive visibility. Security teams must conduct thorough audits to identify all extensions present across their corporate environment. This proves particularly challenging in organizations with permissive browser and extension installation policies, yet remains essential for understanding the full scope of potential exposure.Identify Risky Categories: Extension categorization emerges as the next critical step, particularly given recent attack patterns targeting specific types of extensions. The latest campaigns have demonstrated a clear focus on productivity tools, VPN solutions, and AI-related extensions. This targeting isn’t random – attackers strategically choose extension categories that either command large user bases (like productivity tools) or possess extensive system permissions (like VPN extensions that require network access rights).Enumerate permission scope: Understanding the precise permissions granted to each extension provides crucial context for security teams. This detailed permission mapping reveals what corporate data and systems each extension can potentially access. For instance, a seemingly benign productivity extension might have concerning levels of access to sensitive corporate data or browsing activities.Assess risk: Risk assessment becomes possible once organizations have mapped both extension presence and permissions. An effective assessment framework should evaluate two key dimensions: technical risk (based on permission scope and potential access) and trust factors (including publisher reputation, user base size, and distribution method). These elements should be weighted to produce actionable risk scores for each extension.Apply controls: The culmination of this framework lies in implementing contextual security controls. Organizations can craft nuanced policies based on their risk appetite and operational requirements. For example, security teams might choose to block extensions requesting cookie access, or implement more sophisticated rules – such as restricting high-risk AI and VPN extensions while allowing trusted ones.While browser extensions undeniably enhance workplace productivity, the recent attack campaigns highlight the urgent need for robust security measures. Security leaders must recognize that unmanaged browser extensions represent a significant and growing attack surface. To help organizations implement a strategy for securing their browser extensions, LayerX is offering a comprehensive guide on extension risks and actionable measures for remediating risks from malicious extensions.Click here to download the guide. In addition, LayerX is offering a complimentary audit of organizations’ extension risk.The audit includes discovering browser extensions installed on the organization’s endpoint, detecting compromised extensions, and actively remediating malicious extensions. For organizations found to be impacted by the recent attack campaign that exposed browser extensions, LayerX is also offering remediation efforts such as rotating user cookies and passwords that may have been exposed.Click here to sign up for the complimentary audit.Sponsored and written by LayerX.PowerSchool hack exposes student, teacher data from K-12 districtsRussian ISP confirms Ukrainian hackers “destroyed” its networkTelegram hands over data on thousands of users to US law enforcementProtecting Against Malicious Browser Extensions: The Complete GuideSave IT time with self-service password resetsPassword health-check overdue? Audit your Active Directory for freeCriminal IP: Real-Time Phishing Protection for Outlook UsersCynet Delivers 100% Protection and 100% Detection Visibility in 2024 MITRE ATT&CK EvaluationTerms of Use – Privacy Policy – Ethics Statement – Affiliate DisclosureCopyright @ 2003 – 2025 Bleeping Computer® LLC – All Rights ReservedNot a member yet? Register NowRead our posting guidelinese to learn what content is prohibited.
