Mishcon de Reya page structure
Site header
Main menu
Main content section
Person's hands typing on laptop

The rise of malicious browser extensions in identity attacks

Posted on 20 January 2025

What happened?

Around the end of December 2024, attackers compromised cookies and identity data of over 2.6m users and thousands of organisations through a campaign targeting browser extensions. The attack was first noticed when Cyberhaven, a data security company, announced that hackers had compromised its browser extension to steal users' Facebook cookies and authentication tokens. This revelation led to the discovery of over thirty-five compromised browser extensions, with the possibility of more being undetected.1

So what?

This threat has been largely neutralised with compromised extensions being removed from the Chrome store or having had malicious code removed. However, the discovery highlights the significant identity risks that browser extensions pose and the widespread lack of awareness about these risks in many organisations.

Browser extensions often have permissions to access sensitive user data, including cookies, authentication tokens, passwords, and browsing data.1

Compromised browser extensions with such access can result in credential theft, account takeovers, session hijacking, and data theft. The risk increases when employees install unchecked extensions on company devices, potentially compromising both personal and company data.2

In response to these attacks, security leaders must adopt comprehensive strategies to manage the risks associated with browser extensions.

This includes:

  • Audit extensions: gain comprehensive visibility of all extensions across the corporate environment.
  • Identify risky categories: focus on extension categories that are commonly targeted by attackers, such as productivity tools and VPN solutions.
  • Enumerate permission scope: map out the permissions granted to each extension to understand potential access to corporate data and systems.
  • Assess risk: evaluate the technical risk and trust factors of each extension to produce actionable risk scores.
  • Apply controls: implement security controls tailored to the organisation's risk appetite and operational requirements.

A list of these compromised extensions can be found here.

1Malicious Browser Extensions are the Next Frontier for Identity Attacks

2Google Chrome Attack Alert—Full List Of Hacked Extensions Published

How can we help you?
Help

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

Crisis Hotline

I'm a client

I'm looking for advice

Something else