What you see is usually not what you get with browser extensions

Browser extensions represent one of modern web security's most underestimated attack surfaces. While users and organisations focus heavily on file-based attacks and malicious web pages and how to solve these using network security measures, browser extensions operate in a uniquely privileged position with capabilities that can bypass many security controls and are often overlooked.

Researchers at SquareX have revealed how deceptive the seemingly innocent permission requests from extensions can be. Extensions requesting only 'scripting' and 'background' permissions - permissions that appear innocuous to most users - can be leveraged to execute a wide range of malicious activities. Some of these have been publicly documented:

-          Extensions that inject malicious payloads during download / upload

-          Extensions that modify the contents of text files during download / upload

-          Extensions that act on behalf of the user and send out emails through Gmail

-          Password and autofill data-stealing extensions

As a big awakening, the researchers also published their findings on 'Browser Syncjacking', an extension-based attack where Chrome's auto sync feature is exploited for attackers to exploit locally stored passwords and browsing data. This attack jeopardises every Chrome user as it occurs silently, requiring minimal user interactions for the attack to succeed.

Current security architectures have a massive void regarding monitoring and controlling extension behaviour. Network monitoring solutions are the backbone of many security stacks. They are blind to extension activities due to the browser's isolation architecture. When an extension modifies page content, injects scripts, or exfiltrates data, these actions occur in an isolated context that network monitoring tools cannot differentiate from legitimate browser activities.

While some vendors offer static analysis tools for extension security, there are limitations to this approach. This is primarily because attackers have command and control over the extension via WebSocket connections, where content and malicious code get fetched dynamically. Often, these are context-aware payloads delivered based on the websites visited.

The only effective detection of malicious extensions is a comprehensive approach combining dynamic analysis with behaviour simulation across various web pages. Organisations must understand how extensions interact with different web applications and monitor their real-time behaviour. This involves:

-          Runtime behaviour monitoring across different page contexts

-          WebSocket communication analysis

-          DOM modification tracking

-          Script injection detection

-          Form field interaction monitoring

-          Extension storage access tracking

To do such dynamic analysis is non-trivial and requires the browser itself to be modified to expose the inner workings of the extension processes.

For enterprises looking to mitigate these risks, it is recommended that strict extension management policies be implemented. A practical approach is to block extensions by default and implement a request-for-exception process. This can be efficiently managed through a Browser Detection and Response (BDR) solution that provides centralised control across all browsers and extension types - from official web stores, under development, or sideloaded.