The Permission Model

Chrome extensions declare their required permissions in manifest.json. Permissions fall into three categories: API permissions (access to browser APIs like tabs, cookies, history), host permissions (access to page content on specific URLs or all URLs via <all_urls>), and optional permissions (requested at runtime with user consent).

The critical permissions for attackers are host permissions and the APIs they unlock. An extension with "host_permissions": ["<all_urls>"] and the webRequest API can intercept every HTTP request and response from every website you visit β€” including those to banking sites, corporate intranets, and SSO providers. It can read request bodies containing form data and response bodies containing session tokens before they are parsed by the page.

Chrome's installation flow tells users what permissions an extension requires, but the language is often vague and the implications are rarely clear. "Read and change all your data on all websites" is the permission string for what is effectively complete browser traffic interception β€” and users click "Add to Chrome" on extensions showing this permission every day.

What a Malicious Extension Can Actually Do

  • Credential harvesting: Content scripts with access to <all_urls> can hook form submission events and exfiltrate usernames and passwords before they are submitted. This happens in cleartext, before any TLS protection is applied.
  • Session token theft: With the cookies API permission, an extension can read all cookies for all domains β€” including HttpOnly cookies that are normally inaccessible to JavaScript. Auth tokens, session IDs, and remember-me cookies are all readable.
  • Request interception and modification: The webRequest (MV2) or declarativeNetRequest (MV3) APIs allow rewriting requests and responses. A malicious extension can add headers, modify request bodies, or redirect specific URLs silently.
  • DOM manipulation: Content scripts run in the context of every page and can modify the DOM β€” replacing form action URLs with attacker-controlled endpoints, injecting fake login modals, or silently redirecting transactions.
  • Screenshot capture: The tabs.captureVisibleTab() API allows capturing screenshots of the current tab. An extension can take periodic screenshots and exfiltrate them.

Extension Supply Chain Attacks

The most dangerous vector is not a new malicious extension β€” it is a trusted extension that becomes malicious after acquisition or compromise. Popular extensions with millions of users are acquired by adversarial actors who publish a "maintenance update" that adds data collection capabilities. The existing user base auto-updates without review.

The acquisition model is economically rational: buying a popular extension with 500,000 users for $10,000-50,000 gives the buyer immediate access to half a million browsers, with auto-update as the delivery mechanism. The purchased extension pushes an update that adds background exfiltration. The update passes Chrome Web Store review because the core functionality is unchanged β€” only new background network calls appear.

Documented attack (2022-2024): The DataSpii breach involved multiple popular extensions with millions of users being compromised or acquired, then updated to exfiltrate browsing history, session tokens, and page content. Affected extensions included productivity tools and VPN clients with millions of installs.

Real-World Cases

  • The Great Suspender (2021): A popular Chrome extension for tab management was sold to an unknown actor, who pushed an update containing obfuscated malicious code. Google removed it from the Web Store, but users who had auto-updated were already compromised.
  • Stylish (2018): A well-known CSS customisation extension was found to send every URL visited to SimilarWeb servers. 1.8 million users had their complete browsing history harvested without meaningful disclosure.
  • ChatGPT-related malicious extensions (2023): Multiple fake or malicious extensions using ChatGPT branding harvested Facebook session cookies from authenticated users, enabling account hijacking without requiring passwords.
  • Cyberhaven supply chain attack (2024): Cyberhaven's legitimate Chrome extension was compromised via a phishing attack on an employee account, and a malicious version was published that harvested credentials and session cookies. The malicious version was live for approximately 30 hours before detection.

Manifest V3: Security Improvements and Remaining Risks

Chrome's Manifest V3 (MV3) transition removed the synchronous webRequest API that allowed extensions to intercept and modify requests. The replacement, declarativeNetRequest, uses predefined rules rather than arbitrary code β€” limiting real-time request manipulation. This removes some capabilities from malicious extensions.

However, MV3 does not address the fundamental risks: host permissions still grant access to page content on all websites, the cookies API still allows reading all cookies, content scripts still run with access to the full DOM, and compromised extensions still auto-update. The changes reduce some attack surface while preserving the most dangerous capabilities.

Enterprise Controls

  1. Extension allow-listing via Group Policy / MDM: Enterprise Chrome allows administrators to specify exactly which extension IDs are permitted. All other extensions are blocked from installation. This is the most effective control and should be the baseline for all enterprise devices.
  2. Block extensions with dangerous permissions: Use Chrome's ExtensionSettings policy to block any extension that requests host permissions for all URLs, cookie access, or history access β€” regardless of whether it is otherwise trusted.
  3. Enterprise Browser (Chrome Enterprise or Edge for Business): Managed browser instances provide visibility into installed extensions, usage, and can enforce automatic removal of unapproved extensions.
  4. Pin approved extension versions: Use the update_url policy to pin approved extensions to specific versions and prevent auto-update until the new version has been reviewed. This closes the supply chain update window.
  5. Security awareness for BYOD: For employees using personal devices to access corporate resources, ensure that SSO and corporate access is isolated to a managed browser profile that enforces extension restrictions.

For security teams: Audit the extensions installed across your fleet using Chrome reporting APIs or endpoint management tools. Prioritise review for extensions with broad host permissions and for any extension where the developer account has changed ownership in the past 12 months.