New Report: Unveiling the Threat of Malicious Browser Extensions


Compromising the browser is a high-return target for adversaries. Browser extensions, which are small software modules that are added to the browser and can enhance browsing experiences, have become a popular browser attack vector. This is because they are widely adopted among users and can easily turn malicious through developer actions or attacks on legitimate extensions.

Recent incidents like DataSpii and the Nigelthorn malware attack have exposed the extent of damage that malicious extensions can inflict. In both cases, users innocently installed extensions that compromised their privacy and security. The underlying issue lies in the permissions granted to extensions. These permissions, often excessive and lacking granularity, allow attackers to exploit them.

What can organizations do to protect themselves from the risks of browser extensions without barring them from use altogether (an act that would be nearly impossible to enforce)?

A new report by LayerX, “Unveiling the Threat of Malicious Browser Extensions” (download here), provides in-depth insights into the malicious browser extensions threat landscape, while offering recommendations for mitigation.

The report dissects the domain of malicious extensions, focusing on several key aspects:

Let’s dive into a few of the key findings from the report. The entire report can be found here.

Malicious extensions can be categorized into three main groups:

1. Initially Malicious Extensions – These are extensions that are purposefully created by malicious actors to cause. These extensions could either be uploaded to web stores or hosted on the attacker’s infrastructure.

2. Compromised Extensions – Initially legitimate extensions that are either directly purchased by adversaries or compromised by the attacker and used for malicious activities.

3. Risky Extensions – These are legitimate extensions that, while not initially created with malicious intent, have excessive permissions that can pose a security risk.

Malicious extensions can infiltrate a victim’s browser through various methods, each with its own set of security considerations:

1. Admin Installation – Extensions that are centrally distributed by network administrators, often with explicit organizational approval.

The critical security question here is whether these extensions are truly necessary within the corporate network and whether they pose any security risks. It’s essential to carefully evaluate the need for such extensions and their potential impact on network security.

2. Normal Installation – Extensions that users download from official browser stores by visiting an extension’s listing. This approach allows users to make independent choices regarding which extensions to install.

While this offers flexibility, this approach raises the security question of potential risks associated with employees’ choices. Assessing the popularity and security of these extensions among the workforce is vital to maintain a secure browsing environment.

3. Developer Installation – Extensions loaded from employees’ local computers. Since these extensions originate from employees’ workstations, they bypass the usual vetting process for installed software.

It’s crucial to examine the security implications of allowing employees to load unpacked extension files directly from their machines to prevent potential risks.

4. Sideload Installation – This method involves third-party applications, such as Adobe or other software providers, installing extensions. Unfortunately, it is the least secure option, as it can be easily exploited by adversaries to install malicious extensions without the user’s awareness.

Evaluating how these applications interact with browsers and the access and permissions they grant to extensions is essential to mitigate security risks.

LayerX has identified the following distribution of installation types based on its user data. As can be observed, the majority, 81% of extensions, are installed by users downloading from official browser stores.

Given the widespread popularity of users downloading extensions themselves, it’s important to exercise caution and train employees to identify which extensions could be potentially malicious. Some of the main indicators include:

The report itself contains additional information that is a must-read for any security or IT professional to read. This includes risky browser extension permissions to look out for, the browser extension attack vector, mitigation techniques, and more. Cybersecurity is about acknowledging, adapting, and responding to changing threats, and malicious browser extensions demand our attention today.


Please enter your comment!
Please enter your name here