A Study on Malicious Browser Extensions in 2025
1st Shreya Singh 2nd Gaurav Varshney 3rd Tarun Kumar Singh 4th Vidhi Mishra
Department of CSE, IIT Jammu Department of CSE, IIT Jammu Department of CSE, IIT Jammu Department of CSE, IIT Jammu
Jammu, India Jammu, India
[email protected] [email protected] [email protected] [email protected]
Abstract—Browser extensions are additional tools developed
by third parties that integrate with web browsers to extend
their functionality beyond standard capabilities. However,
the browser extension platform is increasingly being ex-
ploited by hackers to launch sophisticated cyber threats.
These threats encompass a wide range of malicious activities,
arXiv:2503.04292v1 [cs.CR] 6 Mar 2025
including but not limited to phishing, spying, Distributed
Denial of Service (DDoS) attacks, email spamming, affil-
iate fraud, malvertising, and payment fraud. This paper
examines the evolving threat landscape of malicious browser
extensions in 2025, focusing on Mozilla Firefox and Chrome.
Our research successfully bypassed security mechanisms of
Firefox and Chrome, demonstrating that malicious exten-
sions can still be developed, published, and executed within
the Mozilla Add-ons Store and Chrome Web Store. These
findings highlight the persisting weaknesses in browser’s vet-
ting process and security framework [1]. It provides insights
into the risks associated with browser extensions, helping
users understand these threats while aiding the industry in
developing controls and countermeasures to defend against
such attacks. All experiments discussed in this paper were
conducted in a controlled laboratory environment by the
researchers, adhering to proper ethical guidelines. The sole
purpose of these experiments is to raise security awareness
among the industry, research community, and the general
public.
Index Terms—Browser Extensions, Malicious Browser Ex-
tensions, Attacks due to Extensions.
1. Introduction
The rapid evolution of web browsers has transformed
them from simple tools for accessing websites into sophis-
ticated platforms that support a wide range of functional-
ities. Modern browsers such as Google Chrome, Mozilla
Firefox, and Microsoft Edge not only enable seamless web
browsing but also offer features like bookmarks, history
tracking, and built-in security enhancements. However,
users often demand additional capabilities that extend
beyond these native features, driving the widespread adop-
tion of browser extensions. These extensions, developed
by third parties, allow users to customize and enhance
their browsing experiences, providing tools such as ad
blockers, password managers, and productivity boosters.
Despite their utility, browser extensions represent a
double-edged sword. While they significantly enhance
user convenience, they also introduce numerous security
vulnerabilities. Malicious actors exploit browser exten-
sions to execute sophisticated attacks, including phishing,
Jammu, India Jammu, India
keylogging, spying, data theft, and session hijacking [16].
This dual nature—offering benefits while posing signifi-
cant risks—has made browser extensions a critical focus
of cybersecurity research.
This paper aims to study and experimentally validate
the inherent malicious capabilities of browser extensions,
with a particular focus on Mozilla Firefox and Chrome,
the world’s most widely used browser [1]. By analyzing
real-world examples and examining attack techniques em-
ployed by malicious extensions, the study highlights the
evolving threat landscape posed by browser extensions in
the year 2025. The experiments and findings presented in
this paper are designed to assist internet researchers and
users in understanding these threats, while also guiding the
industry toward the development of effective controls and
countermeasures to mitigate risks associated with browser
extensions.
Ultimately, this research underscores the critical need
for secure practices and policies to protect against browser
extension attacks. It also emphasizes the importance of
striking a balance between providing APIs for extended
functionality and addressing the security risks they intro-
duce, which can often go undetected. While this study
focuses on Google Chrome and Mozilla Firefox, most
modern browsers, including Microsoft Edge, Safari, sup-
port extensions built on standardized APIs. Many of the
attack techniques explored in this paper could be adapted
to other browsers, suggesting a broader industry-wide risk.
1.1. Browser Extensions
Browser extensions [2], [3], developed by third-party
creators, enhance browser functionality by adding diverse
features. However, they also present significant security
risks, as malicious actors exploit them to carry out so-
phisticated attacks, including phishing, spying, DDoS,
email spamming, affiliate fraud, malvertising, and pay-
ment fraud. This paper investigates the vulnerabilities of
current browsers, with a focus on Mozilla Firefox and
Google Chrome due to its widespread use and popularity.
It explores the technical weaknesses in the extension
platform that attackers leverage to execute such mali-
cious activities. By analyzing these vulnerabilities, the
study highlights potential improvements, such as enhanced
vetting processes for extensions, increased user aware-
ness, and stronger security protocols within browsers.
Implementing these measures can mitigate risks, enhance
browser security, and ensure a safer browsing experience
for users.
1.2. Malicious Browser Extension Based Attacks
MBEs are third-party add-ons that exploit browser
APIs to perform unauthorized actions such as data theft,
spying, content manipulation, and session hijacking. In-
creasingly, these extensions, often disguised as produc-
tivity tools, enable attacks including keylogging, data ex-
filtration, malicious code injection, and session hijacking.
Early MBEs (2013–2015) primarily focused on basic data
theft—keylogging (e.g., HoverZoom, 2013) and activity
tracking (e.g., BBC News Reader, 2014)—eroding user
trust. By 2016, attackers employed more advanced tech-
niques such as web request interception (e.g., iCalc, 2016)
and token theft via phishing (e.g., Viralands, 2016). From
2017 onward, MBEs adopted complex payloads for finan-
cial and operational exploitation, including ad fraud (e.g.,
Web Developer, 2017) and proxy-based traffic manipula-
tion (e.g., Dubbed Copyfish, 2017). Recently, supply chain
attacks (e.g., Cyberhaven, 2024) have emerged, where
adversaries compromise trusted developer accounts using
social engineering and OAuth token abuse to deploy mali-
cious updates. Table 1 summarizes notable MBE incidents
from 2013 to 2024, illustrating the shift from opportunistic
attacks to coordinated, high-value campaigns exploiting
browser vulnerabilities.
2. Literature Review on MBEs
Malicious browser extensions (MBEs) increasingly
threaten user privacy by masquerading as benign produc-
tivity tools while covertly stealing data, injecting ads, or
hijacking sessions. Studies such as ParaSiteSnatcher [4]
and Cyberhaven’s Chrome extension [5], [8] illustrate the
multifaceted impact of these threats. Varshney et al. [13]
demonstrated that the inherent access to sensitive browser
APIs enables attackers to execute phishing, spying, DDoS,
email spamming, and affiliate fraud. This vulnerability is
further examined in [15], which highlights how Chrome’s
open extension platform facilitates cyberfraud and cyber-
spying. Chang and Chen’s work [16] emphasizes the risks
of runtime information leakage from extensions, while
Maunder [33] reveals that millions of malicious extensions
can operate undetected. At DEF CON 32, SquareX [25]
showed that even with Google’s Manifest V3 framework,
MBEs can bypass security measures, stealing live streams,
cookies, and user credentials. Collectively, these studies
underscore the need for enhanced detection strategies and
stricter controls, as the evolving threat landscape suggests
that MBEs will continue to pose significant risks into
2025.
Several studies have proposed techniques to detect and
mitigate malicious browser extensions. Wang et al. [27]
introduced a machine-learning model that combines static
and dynamic analyses of JavaScript, HTML, and CSS
to classify extensions with over 95% accuracy. Kaushik
et al. [28] advocate for continuous monitoring through
enhanced permission management, API tracking, and real-
time behavior analysis to preemptively block harmful
extensions. Varshney and Misra [29] revealed a phishing
vector called Browshing, where extensions mimic legiti-
mate sites to steal sensitive information, underscoring the
need for targeted phishing detection. Kapravelos et al. [30]
examined methods to induce and identify malicious behav-
ior by probing unauthorized data access and page content
tampering. Shahriar et al. [31] proposed a hybrid approach
that monitors API calls and user interactions to detect
both known and unknown threats. Pantelaios et al. [32]
developed a method based on analyzing code update deltas
to flag potentially harmful modifications, while Moreno et
al. [34] critically assessed the Chrome Web Store’s vetting
process, revealing that techniques like repackaging and
obfuscation can allow malicious extensions to bypass both
automated and manual reviews. Despite advancements
such as Manifest V3 and sophisticated machine-learning
scans, evasion strategies like delayed execution and per-
mission escalation remain effective, highlighting the need
for stricter sandboxing, refined permission models, and
real-time monitoring.
3. Advancements and Limitations in Browser
Extension Security (2012–2024)
From 2012 to 2024, major web browsers, including
Google Chrome and Mozilla Firefox, have made signifi-
cant advances in improving extension security to combat
persistent threats posed by malicious browser extensions.
Initially, both Chrome and Firefox allowed extensive ac-
cess to browser APIs, making it easier for attackers to
exploit vulnerabilities for data theft, phishing, and mal-
ware injection [12], [13]. In response to growing threats,
Google introduced Manifest V3 (MV3) in 2018, impos-
ing stricter permission requirements, reducing access to
sensitive APIs, and replacing the Web Request API with
a more restrictive Declarative Net Request (DNR) API.
These measures aimed to limit data abuse by malicious
extensions while maintaining essential functionality [16],
[18]. Additionally, Google improved its Chrome Web
Store review process by implementing automated and
manual checks to detect malicious behavior before pub-
lication [14]. Mozilla Firefox, on the other hand, refined
its WebExtensions API, enforcing stricter sandboxing and
requiring explicit user consent for sensitive permissions.
Unlike Chrome, however, Firefox does not enforce a com-
plete transition to an MV3-like model, keeping the Web
Request API accessible, which allows developers greater
flexibility but also introduces security risks.
Other browsers, including Microsoft Edge and Sa-
fari, have aligned their security models with Chrome and
Firefox, adapting their extension frameworks to balance
security and developer accessibility. Microsoft Edge, built
on Chromium, follows Chrome’s MV3 policies, benefiting
from the same security updates. Safari has focused on pri-
vacy protections by enforcing stricter permission requests
and isolating extensions to limit their access to user data.
Despite these advancements, malicious browser extensions
continue to evade detection through sophisticated tech-
niques. Extensions often obscure their true intent using
obfuscated code or delay activation of malicious behavior
until after review [25]. Cybercriminals frequently update
extensions with malicious code or republish previously
removed extensions under new names, bypassing detection
mechanisms [26]. While Chrome’s MV3 restricts API
access, Firefox’s more permissive approach allows for
broader functionality, which can be exploited by malicious
extensions.
 TABLE 1. M ALICIOUS E XTENSION BASED ATTACKS (2013-2024) [6], [7], [5], [8], [9], [10], [13], [26]

Extension (Year) Attack Type Description

HoverZoom (2013) Keylogging Browse images on websites by hovering. Collecting online form data
and selling users’ keystrokes.
Tweet This Page (2014) Content Injection Tweet a Page. Turned into an ad-injecting machine; started hijacking
Google searches.
BBC News Reader (2014) Spying Get latest news and articles. Tracks user browsing data.
Autocopy (2014) Spying Select text and automatically copy to the clipboard. Sends a lot of
user data back to its servers.
Hola Unblocker (2015) DDoS Easy-access to region blocked content. Bandwidth from users being
sold to cover costs (powers botnets for attack).
Marauder’s Map (2015) Spying Plot your friends’ location data from Facebook on a map. A hacker
can know if you’re not home, shops you visit frequently, who you
spend most time with.
Viralands (2016) Phishing “Verify your age” to access restricted content. Access to Facebook
access token; login credentials stolen.
iCalc (2016) Webpage Manipulation Functional Calculator. Creates a proxy and intercept web requests,
taking commands and updates from a domain.
Dubbed Copyfish (2017) Mal-Ads Extract text from images, PDFs, videos. Equipped with ad injection
capabilities.
Web Developer (2017) Affiliate Fraud Adds a toolbar button to the browser with web developer tools.
Substitute ads on browser, hijacking traffic from legit ad networks.
Nano Adblocker/Nano Defender (2020) Spying Adblocker. Collected user data and sent it to remote servers.
The Great Suspender (2021) Malware Suspends unused tabs to save memory. Injected malicious code to steal
data.
SessionManager (2022) Data Theft Manage browser sessions. Stole session cookies and other data.
Sakula Rat (2023) Remote Access Trojan Used for APT campaigns. Allowed remote control and data exfiltration
from infected browsers.
Session Stealer (2023) Hijacking Manage browser sessions. Stole active session cookies to hijack ac-
counts.
Cyberhaven (2024) Supply Chain Compromised via phishing targeting developer accounts. Distributed
malicious versions, stealing Facebook access tokens and bypassing
2FA.
StealthSpy (2024) Spying Disguised as a productivity enhancer. Secretly records browsing his-
tory and keylogs sensitive data.
AdSkimmer Pro (2024) Ad Fraud Claimed to block ads. Injected its own ads and skimmed affiliate
commissions from legitimate sites.
QuickAccess Helper (2024) Phishing Promised faster access to commonly visited sites. Redirected users to
phishing pages that stole credentials.

Our research involved creating and testing multiple
extensions to evaluate their impact on privacy and security.
Minimal permissions—such as activeTab, scripting, and
storage—were sufficient for executing harmful actions,
making these tools easy to develop even for low-skilled
attackers. For example, the Cookie Stealing and Keylogger
Extensions accessed login credentials and cookies, exfil-
trating this data to remote servers. The Screenshot Capture
and History Tracker Extensions covertly recorded user
activity, offering attackers insights into browsing behavior.
Notably, Chrome’s Web Store exhibited stricter security
policies, flagging high-risk behaviors like unauthorized
cookie access, keystroke logging, and direct DOM ma-
nipulation, while Firefox’s Add-ons Store showed greater
susceptibility to obfuscation techniques. Extensions de-
signed to modify web content, inject ads, or track user
activity were more likely to pass Firefox’s review when
disguised as productivity tools.
Despite security enhancements, certain types of ex-
tensions, such as those that manipulate browsing his-
tory or automate actions like liking content, continue to
evade detection. Recent attacks in 2024 further exposed
browser vulnerabilities. Extensions like DataPhisher and
StealthSpy bypassed detection with advanced obfuscation,
harvesting credentials and manipulating web traffic [26].
While MV3 restricted direct network access in Chrome,
attackers leveraged injected scripts and permission abuse
to achieve similar results. Firefox’s continued support for
the Web Request API increased its exposure to data in-
terception threats. Case studies from 2024 illustrate these
risks. Cyberhaven revealed how a supply chain attack
compromised developer accounts to distribute extensions
that stole Facebook access tokens and bypassed two-factor
authentication. StealthSpy, initially marketed as a pro-
ductivity tool, later functioned as a keylogger, capturing
user keystrokes via Chrome’s scripting API. AdSkimmer
Pro, disguised as an ad-blocker, injected advertisements
and intercepted affiliate revenue, causing financial losses.
QuickAccess Helper, promoted as a browsing speed en-
hancer, redirected users to phishing sites for credential
theft.
These incidents highlight the need for stronger security
measures across all browsers [5], [8], [9], [10]. While
Chrome’s MV3 has reduced attack vectors, threat actors
continue adapting. Firefox’s lenient API policies present
trade-offs between security and flexibility, while Edge and
Safari face similar challenges. Continuous improvements
in anomaly detection, stricter vetting, and behavioral anal-
ysis are essential to mitigating the ongoing risks posed by
browser extensions.
4. Malicious Browser Extensions: Threat
Landscape in 2025
Malicious Browser extensions represent a growing
threat to user data privacy and security. This section
explores the various types of threats posed by these ex-
tensions in the year 2025 and discusses their implications.
The study in this section has been done by the authors in
their laboratory environment over a period of 6 months.
The researchers were motivated to build a set of extensions
over MV3 for chrome and MV2 for firefox and using the
existing APIs exposed by Chrome and Mozilla till Decem-
ber 2024 to cause a security or privacy issue to the user
that installs the extensions. The extensions developed were
tested by another researcher and verified to be working
fine over their browsers before including them into the set
of extensions discussed in this paper. Due to the reason
that such extensions can be misused and to not provide
an easy-to-build environment of such extensions to script
kiddies, only a portion of the codes of the extension
is displayed here and no completed code reference has
been hosted at any platform. The researchers have studied
past work and extensions and tested through experiments
whether the threats raised via researchers in the past are
still there or are patched and whether there are possibilities
of new, more capable malicious extensions that can be
developed with the new set of APIs which are available to
third-party developers. We have discussed some important
malicious browser extensions that we experimented and
tested during our study. We classified various extensions
that we studied based on the types of threat they pose into
the below given 5 classes:
• Data Stealing Extensions : Data theft is a pri-
mary concern associated with malicious Browser
extensions. These extensions can harvest sensitive
information such as names, addresses, phone num-
bers, and email addresses. Furthermore, they are
capable of capturing login credentials and stealing
financial information such as credit card numbers
and bank account details.
• Monitoring and Surveillance Extensions : Ma-
licious extensions often include monitoring and
surveillance capabilities. They can track users’
browsing history, record keystrokes through key-
logging techniques, and even take screenshots of
users’ screens without their knowledge or consent.
This surveillance can compromise users’ privacy
and expose sensitive information. Privacy invasion
is another significant threat posed by malicious
Browser extensions. These extensions may access
a user’s camera and microphone without autho-
rization, potentially recording audio and video.
Additionally, they can track a user’s physical lo-
cation using geolocation APIs, exploiting this in-
formation for malicious purposes.
• Content Manipulation Extensions : Manipula-
tion of web content by malicious extensions is
a tactic used to deceive users and achieve nefar-
ious goals. Extensions can inject advertisements
into web pages, modify content to mislead users,
and employ social engineering techniques to trick
users into divulging sensitive information.
• Request Forgery Extensions : These extensions
focus on state-changing actions without user con-
sent. They can manipulate web requests to exe-
cute unauthorized actions such as changing user
settings, submitting forms, or initiating financial
transactions. These activities can lead to unautho-
rized access, data breaches, and exploitation of
users’ online accounts.
• Miscellaneous Extensions : Malicious Browser
extensions are adept at bypassing security mech-
anisms designed to protect users. They can avoid
detection by security tools, and exploit vulnerabil-
ities in browsers or other software [26]. Further-
more, they may engage in network-based attacks
to disrupt users’ Internet connections and prop-
agate themselves via social engineering tactics.
Additionally, some extensions are specifically de-
signed to manipulate the appearance or functional-
ity of websites, such as altering background colors
or injecting hidden elements into the page. While
these may seem innocuous at first glance, they can
be used for malicious purposes such as redirecting
users to fraudulent sites or tricking them into
revealing sensitive information. Furthermore, ma-
licious extensions can pose risks through deceptive
actions, such as impersonating legitimate tools or
services.
5. Experimenting Browser MBEs in 2025
During our research one of our major contribution is
that we have created a set of innovative malicious browser
extensions from the past based on the categorization of
malicious actions described in the threat model and re-
alized their execution on the latest and Chrome browser
Version 131.0.6778.20 and and Firefox browser Version
123.0. While we discuss the high-level functionality and
provide key snapshots of these extensions, we have de-
liberately withheld the complete code to prevent misuse
by malicious actors and script kiddies. To assess whether
the created malicious extensions could bypass Chrome
Web Store’s and Mozilla Add-On’s vetting process, we at-
tempted to submit sample extensions. The extensions that
requested excessive permissions or contained obfuscated
code were flagged during automated scans. However,
those mimicking legitimate functionality with delayed ma-
licious behavior remained undetected, highlighting gaps
in security review system. This research provides insights
into the evolving threat landscape and highlights how such
extensions can compromise privacy and security.
5.1. Cookie Stealing Extension
The cookie-stealing extension represents a critical se-
curity threat by demonstrating how malicious browser
extensions can access and log important access tokens
such as cookies without user consent. Attackers can use
this method to hijack user sessions, steal authentication
tokens, and exfiltrate sensitive information.
The extension operates by listening for specific
messages from the browser, particularly those request-
ing cookie information. Upon receiving such a re-
quest, it extracts the domain from the active tab’s URL
and utilizes the chrome.cookies.getAll (for Chrome) or
browser.cookies.getAll (for Firefox) [17] API to retrieve all
cookies associated with that domain. The extension then
logs these cookies, including their names and values, and
exfiltrates them to a remote server using a JavaScript Fetch
API request. This method allows attackers to gain access
to users’ authentication tokens, leading to session hijack-
ing and unauthorized account access. The permissions
required for this operation include cookies, activeTab, and
storage as shown in Figure 1.
Figure 1. Cookie stealing operation in Chrome and Firefox extensions.
5.2. Keylogger Extension
Keyloggers remain one of the most severe security
threats in the digital landscape, as they covertly cap-
ture sensitive user inputs, including passwords, personal
messages, and financial details. The implementation of a
keylogger through a browser extension allows for discreet
data collection without the user’s awareness.
In this study, we implemented a keylogger using both
Chrome and Firefox extensions to analyze its feasibility
and impact. The extension works by injecting an event
listener into web pages to monitor keypress events. The
collected keystrokes are then sent to a background script
that processes and logs them. The background script lis-
tens for messages from the content script and retrieves
recorded keystrokes, which are processed and sent to an
external server for storage.
When a message of type getKeys is received, the
background script queries the currently active tab us-
ing chrome.tabs.query (Chrome) or browser.tabs.query
(Firefox) [18]. The recorded keystrokes are then for-
warded using chrome.tabs.sendMessage (Chrome) or
browser.tabs.sendMessage (Firefox) [18], as shown in Fig-
ure 2. The extension requires activeTab, scripting, and
storage permissions.
Figure 2. Keylogger operation in Chrome and Firefox extensions.
5.3. Screenshot Capture by Browser Extension
Malicious browser extensions can covertly capture
screenshots of the active tab, potentially exposing sen-
sitive data such as credentials, financial transactions, and
private communications. This capability enables attackers
to extract information from restricted web applications and
compromise user security.
The extension’s background script initializes upon
installation using chrome.runtime.onInstalled.addListener
(Chrome) or browser.runtime.onInstalled.addListener
(Firefox) [21]. The extension monitors tab activity
using chrome.tabs.onUpdated.addListener (Chrome)
or browser.tabs.onUpdated.addListener (Firefox) [18],
ensuring it captures screenshots as soon as a user
navigates to a new webpage. The captured screenshot is
then forwarded to an attacker-controlled server via an
HTTP request.
The captureAndDownloadScreenshot function
utilizes chrome.tabs.captureVisibleTab (Chrome) or
browser.tabs.captureVisibleTab (Firefox) [18] to take
a PNG-format screenshot. The required permissions
include tabs, activeTab, scripting, and storage as shown
in Figure 3.
Figure 3. Screenshot capture process in Chrome and Firefox extensions.
5.4. History Tracker by Browser Extension
This extension falls under the category of privacy inva-
sion and data exfiltration attacks. By leveraging browser
APIs, it collects users’ browsing history, which can be
used for profiling, targeted phishing, and user behavior
analysis.
The extension accesses historical browsing data using
chrome.history.search, chrome.history.getVisits (Chrome)
or browser.history.search, browser.history.getVisits (Fire-
fox) [22]. It logs the extracted URLs along with times-
tamps and user interactions, creating a comprehensive
record of the user’s online activity. The data is then
transmitted to an external server controlled by the attacker.
The permissions required include history, tabs, script-
ing, and storage. Figure 4 demonstrates this extension’s
activity.
Figure 4. Demonstration of a history-tracking extension in Chrome and
Firefox.
5.5. Auto-Like YouTube Videos
The Auto-Like YouTube Videos extension demon-
strates how browser extensions can manipulate engage-
ment metrics on social media platforms. This manipula-
tion affects content ranking algorithms and distorts user
engagement patterns.
The extension monitors YouTube pages for video el-
ements and automatically triggers a “Like” action when
a user hovers over a video thumbnail. It does this using
document.querySelector to detect the YouTube like but-
ton and executes a simulated click event. The extension
employs MutationObserver [24] to ensure the auto-like
functionality persists across dynamic page changes. This
method can be leveraged by malicious actors to artificially
inflate video rankings and influence recommendations.
The required permissions include tabs, activeTab,
scripting, and storage. Figure 5 illustrates this behavior.
Figure 5. YouTube Auto-Like Extension in Chrome and Firefox.
5.6. Manipulation of Web Content by Browser
Extensions
This extension dynamically modifies web content, pos-
ing significant security risks such as phishing, deceptive
redirects, and unauthorized content injection. Attackers
can use such extensions to alter webpage elements, ma-
nipulate hyperlinks, or inject malicious advertisements,
leading to data theft or fraud.
The extension operates by leveraging the MutationOb-
server API [24] to monitor DOM changes. It continuously
scans for specific elements, such as anchor tags, and
replaces their href attributes to redirect users to attacker-
controlled domains. This technique allows attackers to
conduct phishing attacks by redirecting users to fraud-
ulent login pages or injecting rogue advertisements onto
legitimate websites as shown in Figure 6. .
Chrome and Firefox both allow extensions to modify
web content, but their implementation of security restric-
tions varies. Chrome’s MV3 model imposes stricter limita-
tions on dynamic script execution, whereas Firefox retains
more flexibility, allowing direct script manipulation in
certain contexts. This distinction impacts the effectiveness
of security policies designed to mitigate such threats.
Figure 6. JavaScript code snippet for dynamic link modification in
Chrome and Firefox extensions.
5.7. Camera Auto On by Browser Extension
Unauthorized camera access remains a significant
privacy threat posed by malicious browser extensions.
This extension demonstrates how an attacker can exploit
navigator.mediaDevices.getUserMedia to activate a user’s
camera without explicit consent.
Upon installation, the extension injects JavaScript
into webpages using chrome.scripting.executeScript
(Chrome) or browser.scripting.executeScript
(Firefox) [18], ensuring it runs persistently in the
background. The extension listens for browser
events using chrome.tabs.onUpdated.addListener or
browser.tabs.onUpdated.addListener, allowing it to
activate the camera each time the user loads a webpage.
Once triggered, it automatically enables video recording
and streams the feed to an external server.
While Chrome and Firefox enforce user permission
requests for media access, extensions with broad per-
missions can manipulate these settings post-installation,
creating a persistent security risk. Figure 7 illustrates this
exploit.
Figure 7. Camera Auto On Extension Script Injection in Chrome and
Firefox.
5.8. Injecting Advertisement through Browser
Extensions
One of the browser extensions we analyzed is the
“Inject Advertisement” extension, which falls under Un-
wanted Ad Injection attacks. This type of extension dis-
rupts user experience by injecting unauthorized adver-
tisements onto web pages without consent. These ads
typically appear as floating banners, pop-ups, or over-
lays positioned over legitimate content, often redirecting
users to external sites, some of which may be fraudu-
lent or malicious. The extension dynamically creates an
advertisement container, a div element, positioned in the
bottom-right corner of the screen. This container contains
a header, descriptive text, and a close button, although
some malicious versions prevent users from dismissing
the ad. The core functionality is implemented via the
injectAd() function, as shown in Figure 8, which uses
JavaScript to create and style the advertisement before
appending it to the webpage’s DOM. The extension listens
for page load events using window.onload and employs the
MutationObserver API to detect dynamic content changes,
ensuring the ad persists even when users navigate between
pages.
Although the extension only requires the activeTab
permission, more advanced versions may request storage
for tracking user interactions, cookies for targeted ad injec-
tion, and webRequest to manipulate network traffic. Such
extensions can pose serious security risks, including click
fraud, traffic hijacking, and phishing attacks by disguising
ads as legitimate notifications or login prompts. Addition-
ally, attackers can replace genuine ads with their own,
diverting revenue from website owners. Some variants use
drive-by downloads to deliver malware upon interaction
with the ad.
Figure 8. JavaScript code snippet for dynamic advertisement injection.
5.9. Email Inbox Spying by Browser Extensions
This extension highlights the privacy risks posed by
unauthorized email monitoring. By exploiting browser
APIs, it enables attackers to track unread emails, extract
metadata, and manipulate webmail interfaces without the
user’s knowledge. The extension operates by monitoring
the DOM for elements representing unread emails. It
identifies and highlights specific email classes, such as .zE
in Gmail, using JavaScript. Once identified, it modifies the
CSS properties of these elements, making them visibly
distinct (e.g., changing the background color to yellow,
#ffeb3b). Additionally, the extension logs email metadata
and transmits it to an external server, facilitating targeted
phishing attacks.
Chrome and Firefox impose different restrictions on
DOM manipulation by extensions. While Chrome’s MV3
enforces stricter execution policies, Firefox’s WebExten-
sions API allows broader modifications, increasing poten-
tial security risks.
The extension requires minimal permis-
sions—scripting, storage, and activeTab—to perform
these operations effectively. Figure 9 illustrates a
JavaScript snippet demonstrating this attack.
Figure 9. JavaScript code snippet for highlighting unread emails in
Chrome and Firefox.
5.10. Analysis and Observations
Our research involved creating and testing multiple
malicious browser extensions to evaluate their impact on
privacy and security. A key finding is that minimal per-
missions—such as activeTab, scripting, and storage—are
sufficient for executing harmful actions, making these
tools easy to develop even for low-skilled attackers. For
example, the Cookie Stealing and Keylogger Extensions
accessed sensitive data like login credentials and cook-
ies, then exfiltrated this information to remote servers.
Similarly, the Screenshot Capture and History Tracker
Extensions covertly recorded user activity and captured
screenshots, providing attackers with detailed insights into
browsing behavior. When evaluating the security mea-
sures of Chrome and Firefox extension stores, we ob-
served notable differences in their ability to detect and
block malicious extensions. Chrome’s Web Store exhib-
ited stricter security policies, flagging high-risk behaviors
such as unauthorized cookie access, keystroke logging,
and direct DOM manipulation. Extensions attempting to
modify browsing history or inject advertisements were
often detected and removed during the review process.
On the other hand, Firefox’s Add-ons Store demonstrated
greater susceptibility to bypass techniques, particularly
when malicious behavior was obfuscated within exten-
sions that appeared to provide legitimate functionality.
For instance, extensions that manipulated web content,
injected ads, or tracked user activity were more likely to
pass Firefox’s review when disguised as productivity tools
or interface enhancements. Additionally, we successfully
created a To-Do List Extension on Mozilla that con-
tained obfuscated malicious code to inject advertisements,
which successfully bypassed Mozilla’s review process
and remains active on the Add-ons Store [37]. Similarly,
we developed a 25-Minute Timer Extension on Mozilla
that included hidden functionality for automatically liking
YouTube videos, demonstrating that extensions with be-
nign primary functions can effectively disguise malicious
intent and evade detection [36]. On Chrome, we created
an extension that displayed a pop-up showing YouTube
access time while secretly implementing an auto-liking
mechanism for YouTube videos. This extension was suc-
cessfully published on the Chrome Web Store and remains
active, highlighting weaknesses in Chrome’s automated
review process for behavioral detection [35].
Despite Chrome’s stronger enforcement mechanisms,
certain types of extensions, such as those designed for
auto-liking content and modifying browsing history, could
still evade detection by embedding their malicious logic
within seemingly harmless scripts. Similarly, Firefox’s
review process was found to be more lenient toward
extensions with broad permissions, allowing them to per-
form unauthorized data collection and behavioral tracking
under the guise of enhancing user experience. The Camera
Auto-On Extension further demonstrated the risks posed
by persistent permissions, as it was capable of secretly
activating a user’s camera on both browsers, albeit with a
higher likelihood of detection in Chrome due to its stricter
permission review system.
Table 2 provides a comparative analysis of these exten-
sions, detailing their capabilities, exploited APIs, required
permissions, and the likelihood of bypassing security mea-
sures in Chrome and Firefox. Although both browsers
employ security mechanisms, the deceptive tactics used
by these extensions highlight significant gaps in the re-
view process, particularly in Firefox’s ability to detect
obfuscated threats. These findings emphasize the need
for more rigorous permission validation, improved static
 TABLE 2. D ETAILED D ISCUSSION OF M ALICIOUS B ROWSER E XTENSIONS C REATED AND T HEIR B YPASSING P OTENTIAL
Name Description
Cookie Stealing Exten- Steals cookies, enabling ses-
sion sion hijacking and unautho-
rized access to user accounts.
Keylogger Extension Captures keystrokes to steal
sensitive information such as
passwords, credit card num-
bers, and personal messages.
Screenshot Capture Secretly captures screenshots
Extension of the user’s activity and ex-
filtrates the data to a remote
server for malicious purposes.
History Tracker Exten- Surreptitiously monitors and
sion logs browsing history, enabling
user profiling and data exfiltra-
tion to external servers.
Auto-Like YouTube Manipulates user engagement
Videos Extension on YouTube by automatically
liking videos, skewing algo-
rithms, and distorting user ac-
tivity.
Manipulation of Web Alters webpage content to trick
Content Extension users into phishing schemes,
redirecting them to malicious
websites, or stealing sensitive
information.
Camera Auto On Ex- Activates the user’s camera
tension without consent, enabling re-
mote surveillance and pri-
vacy violations, and sending
recorded video to a backend
server.
Injecting Adver- Injects unwanted ads that could
tisement Malicious lead to phishing attacks, mal-
Extension ware downloads, or disturb
user experience.
Email Inbox Spying Monitors and manipulates un-
Extension read email indicators in web-
mail, enabling surveillance of
private communication and ex-
filtrates email data.
API Exploited Required Scripts Permissions Lines of Code Chrome Web Store Mozilla Add-on Store
chrome.cookies.getAll, Background Script cookies, activeTab, 20-30 Not Possible – Requires Successfully Published on
Fetch API storage cookies permission, de- Add-on Store for Mozilla
tected easily – Can be obfuscated in a
sync manager
chrome.tabs.query, Content & Back- activeTab, scripting, 70-90 Not Possible – Keyboard Successfully Published on
chrome.tabs.sendMessage ground Script storage event tracking flagged Add-on Store for Mozilla
– If embedded in a typing
tool
chrome.tabs.captureVisible Background Script tabs, activeTab, script- 30-40 Not Possible – Screenshots Successfully Published on
Tab, Fetch API ing, storage trigger manual review Add-on Store for Mozilla –
Can justify as a productiv-
ity tool
chrome.history.search, Background Script history, tabs, scripting, 40-50 Not Possible – Brows- Successfully Published on
chrome.history.getVisits storage ing history requires permis- Add-on Store for Mozilla –
sions If marketed as ”Browsing
Insights”
MutationObserver, Background Script tabs, activeTab, script- 40-50 Successfully Published on Successfully Published on
document.querySelector ing, storage Chrome Web Store – If em- Add-on Store for Mozilla –
bedded in focus tools [35] Easily hidden in productiv-
ity tools [36]
MutationObserver, Content & Back- scripting, tabs, storage 50-60 Not Possible – DOM mod- Successfully Published on
chrome.scripting.execute ground Script ification triggers review Add-on Store for Mozilla
Script – If disguised as a UI en-
hancement
navigator.mediaDevices. Background Script camera, tabs, scripting 35-45 Not Possible – Direct cam- Successfully Published on
getUserMedia, era activation blocked Add-on Store for Mozilla –
chrome.scripting.execute Possible with delayed trig-
Script gers
document.createElement, Content & Back- activeTab 30-40 Possible – Can be hidden Successfully Published on
docu- ground Script in UI tweaks Add-on Store for Mozilla
ment.body.appendChild – If positioned as a cus-
tomization tool [37]
document.querySelector, Content & Back- scripting, storage, ac- 20-30 Not Possible – Gmail Successfully Published on
chrome.scripting.execute ground Script tiveTab tracking gets flagged Add-on Store for Mozilla
Script – Can blend into ”Email
Organizer”

and dynamic analysis tools, and enhanced monitoring particularly in Firefox’s review process, by integrating en-
mechanisms to prevent unauthorized access to user data hanced static and dynamic analysis techniques capable of
and mitigate the risks posed by malicious extensions. detecting obfuscation and hidden payloads. Additionally,
real-time monitoring mechanisms should be implemented
6. Conclusions to detect behavioral anomalies even after an extension has
been approved. Ensuring that updates to extensions un-
Browser extensions, while offering enhanced function- dergo rigorous security checks, rather than relying solely
ality, pose a significant threat to user privacy and security on pre-approval evaluations, is crucial for mitigating post-
due to their vulnerabilities. This study has demonstrated publication risks. Simultaneously, users must be educated
how malicious browser extensions can exploit minimal on the dangers posed by browser extensions and encour-
permissions to execute attacks such as data theft, surveil- aged to grant permissions judiciously.
lance, and unauthorized content manipulation. A key find- Future research should focus on improving real-time
ing is the disparity between Chrome and Firefox in de- behavioral analysis of browser extensions, refining per-
tecting and mitigating these threats. While Chrome’s Web mission models, and establishing industry-wide vetting
Store enforces stricter security measures, blocking many standards to mitigate these persistent threats. In particu-
high-risk behaviors such as unauthorized cookie access lar, developing sophisticated anomaly detection techniques
and keystroke logging, Firefox’s Add-ons Store remains and fostering collaboration between browser vendors, se-
more susceptible to bypassing techniques, particularly curity researchers, and policymakers can enhance the ef-
when malicious behavior is obfuscated within seemingly fectiveness of existing defenses. Standardizing permission
benign extensions. transparency and incorporating automated rollback mech-
Alarmingly, despite extensive research, the solutions anisms for post-publication updates will be critical steps
proposed by the academic and cybersecurity community in strengthening browser extension security. Ultimately,
are rarely implemented in real-world scenarios. The ability bridging the gap between theoretical security measures
of attackers to disguise malicious intent within productiv- and their real-world implementation is essential. Without
ity or customization tools highlights critical weaknesses in proactive efforts from the industry and researchers, ma-
the current extension vetting process. Moreover, creating licious extensions will continue to exploit vulnerabilities,
and distributing malicious extensions remains alarmingly posing a persistent threat to the digital ecosystem.
simple, and current security measures fail to address the
risks posed by post-publication modifications. Once an
extension is approved and published, there is little over- References
sight ensuring that subsequent updates do not introduce
malicious functionalities. This gap in continuous security
[1] BrowserStack, ”Understanding browser market share,” 2024.
monitoring exposes users to persistent cyber threats. [Online]. Available: https://www.browserstack.com/guide/
Addressing these challenges requires a multi-faceted understanding-browser-market-share#:∼:text=in%20their%
approach. Browser vendors must enforce stricter policies, 20positions.. [Accessed: Jan. 8, 2025].
[2] A. Bridgwater, ”How browser extensions work,” *Forbes*, [17] Google Developers, ”Chrome Extension Cookies API,” 2024.
Apr. 16, 2019. [Online]. Available: https://www.forbes.com/sites/ [Online]. Available: https://developer.chrome.com/docs/extensions/
adrianbridgwater/2019/04/16/how-browser-extensions-work/. [Ac- reference/api/cookies. [Accessed: Jan. 8, 2025].
cessed: Jan. 8, 2025]. [18] Google Developers, ”Chrome Extension Tabs API,” 2024. [Online].
[3] J. Corpuz, ”41 best Google Chrome extensions,” *Tom’s Available: https://developer.chrome.com/docs/extensions/reference/
Guide*, 2017. [Online]. Available: https://www.tomsguide. api/tabs. [Accessed: Jan. 8, 2025].
com/us/pictures-story/283-best-google-chrome-extensions.html. [19] P. Tuli and P. Sahu, ”System monitoring and security using key-
[Accessed: Jan. 8, 2025]. logger,” Int. J. Comput. Sci. Mobile Comput., vol. 2, pp. 106–111,
[4] Trend Micro, “ParaSiteSnatcher: How Malicious Chrome 2013.
Extensions Target Brazil,” Dec. 2023. [Online]. Avail- [20] I. Kantor, ”Keyboard: keydown and keyup,” 2017. [Online].
able: https://www.trendmicro.com/en in/research/23/k/ Available: https://javascript.info/keyboard-events. [Accessed: Jan.
parasitesnatcher-how-malicious-chrome-extensions-target-brazil-. 8, 2025].
html [21] Google Developers, ”Chrome Extension Runtime API,” 2024.
[5] Cyberhaven Engineering Team, ”Cyberhaven’s Preliminary [Online]. Available: https://developer.chrome.com/docs/extensions/
Analysis of the Recent Malicious Chrome Extension,” reference/api/runtime. [Accessed: Jan. 8, 2025].
Cyberhaven Engineering Blog. [Online]. Available: [22] Google Developers, ”Chrome Extension History API,” 2024.
https://www.cyberhaven.com/engineering-blog/cyberhavens- [Online]. Available: https://developer.chrome.com/docs/extensions/
preliminary-analysis-of-the-recent-malicious-chrome-extension. reference/api/history. [Accessed: Jan. 8, 2025].
[Accessed: Jan. 9, 2025].
[23] Google Developers, ”Chrome Extension Scripting API,” 2024.
[6] SoyaCincau, ”Chrome Extension AdBlocker Infected [Online]. Available: https://developer.chrome.com/docs/extensions/
with Malware – Nano Adblocker and Nano Defender,” reference/api/scripting. [Accessed: Jan. 8, 2025].
SoyaCincau, Oct. 21, 2020. [Online]. Available:
https://soyacincau.com/2020/10/21/chrome-extension-adblocker- [24] MDN Web Docs, ”MutationObserver,” 2024. [Online].
infected-malware-nano-adblocker-nano-defender/. [Accessed: Jan. Available: https://developer.mozilla.org/en-US/docs/Web/API/
9, 2025]. MutationObserver. [Accessed: Jan. 8, 2025].
[25] SquareX, ”Millions of enterprises at risk: SquareX
[7] The Hacker News, ”Warning: Hugely Popular ’Great Suspender’
shows how malicious extensions bypass Google’s MV3
Chrome Extension Found Spreading Malware,” The Hacker News,
restrictions,” presented at DEF CON 32, Oct. 2024.
Feb. 2021. [Online]. Available: https://thehackernews.com/2021/
[Online]. Available:https://www.globenewswire.com/news-
02/warning-hugely-popular-great-suspender.html. [Accessed: Jan.
release/2024/10/03/2957857/0/en/Millions-of-Enterprises-at-
9, 2025].
Risk-SquareX-Shows-How-Malicious-Extensions-Bypass-Google-
[8] The Hacker News, ”16 Chrome Extensions Hacked, Exposing s-MV3-Restrictions.htmll
Millions of Users to Malicious Attacks,” The Hacker News, Dec.
[26] BleepingComputer, ”New details reveal how hackers hijacked
16, 2024. [Online]. Available: https://thehackernews.com/2024/12/
35 Google Chrome extensions,” 2024. [Online]. Available:
16-chrome-extensions-hacked-exposing.html. [Accessed: Jan. 9,
https://www.bleepingcomputer.com/news/security/new-details-
2025].
reveal-how-hackers-hijacked-35-google-chrome-extensions/.
[9] Ars Technica, ”Popular Chromium Ad Blockers Caught Stealing [Accessed: Jan. 8, 2025].
User Data and Accessing Accounts,” Ars Technica, Oct. [27] Y. Wang, W. Cai, P. Lyu, and W. Shao, Detecting malicious browser
2020. [Online]. Available: https://arstechnica.com/information- extensions, Northwestern Polytechnical University, Xi’an, 2018.
technology/2020/10/popular-chromium-ad-blockers-caught-
stealing-user-data-and-accessing-accounts. [Accessed: Jan. 9, [28] K. Kaushik, S. Aggarwal, S. Pandey, S. Mudgal, and S. Garg,
2025]. Investigating and safeguarding the web browsers from malicious
web extensions, Univ. Petroleum Energy Studies, Dehradun, India,
[10] Field Effect, ”33 Chrome Extensions Found to Be Malicious,” 2021.
Field Effect Blog. [Online]. Available: https://fieldeffect.com/blog/
33-chrome-extensions-found-to-be-malicious. [Accessed: Jan. 9, [29] G. Varshney and M. Misra, Browshing: A new way of phishing us-
2025]. ing a malicious browser extension, Indian Inst. Technol., Roorkee,
India, 2016.
[11] M. Maunder, ”PSA: 4.8 million affected by Chrome exten-
sion attacks targeting site owners,” *Wordfence Blog*, Aug. 17, [30] A. Kapravelos, C. Grier, N. Chachra, C. Kruegel, G. Vigna, and V.
2017. [Online]. Available: https://www.wordfence.com/blog/2017/ Paxson, Hulk: Eliciting malicious behavior in browser extensions,
08/chrome-browser-extension-attacks/. [Accessed: Jan. 8, 2025]. Univ. California Santa Barbara, Berkeley, San Diego, 2018.
[12] D. Price, ”4 malicious browser extensions that help [31] H. Shahriar, K. Weldemariam, M. Zulkernine, and T. Lutellier,
hackers target their victims,” *MakeUseOf*, Jul. 13, Effective detection of vulnerable and malicious browser extensions,
2015. [Online]. Available: http://www.makeuseof.com/tag/ 2018.
x-malicious-browser-extensions-help-hackers-target-victims/. [32] N. Pantelaios, N. Nikiforakis, and A. Kapravelos, You’veChanged:
[Accessed: Jan. 8, 2025]. Detecting malicious browser extensions through their update
deltas, North Carolina State Univ., Stony Brook Univ., 2017.
[13] G. Varshney, S. Bagade, and S. Sinha, ”Malicious browser ex-
tensions: A growing threat: A case study on Google Chrome: [33] M. Maunder, “PSA: 4.8 Million Affected by Chrome Ex-
Ongoing work in progress,” in Proc. Int. Conf. Information Net- tension Attacks Targeting Site Owners,” Wordfence Blog,
working (ICOIN), Chiang Mai, Thailand, 2018, pp. 188–193. Aug. 2017. Available: https://www.wordfence.com/blog/2017/08/
doi: 10.1109/ICOIN.2018.8343108. [Online]. Available: https:// chrome-browser-extension-attacks/
ieeexplore.ieee.org/document/8343108. [34] J. M. Moreno, N. Vallina-Rodriguez, and J. Tapiador, “Did
[14] Google, ”Staying safe with Chrome extensions,” Google Security I Vet You Before? Assessing the Chrome Web Store Vet-
Blog, Jun. 20, 2024. [Online]. Available: https://security. ting Process through Browser Extension Similarity,” arXiv
googleblog.com/2024/06/staying-safe-with-chrome-extensions. preprint arXiv:2406.00374, 2024. Available: https://arxiv.org/abs/
html. [Accessed: Jan. 8, 2025]. 2406.00374
[15] G. Varshney, M. Misra, and P. K. Atrey, ”Cyberattacks via Google [35] Google Chrome Web Store, ”YouTube Fo-
Chrome browser extensions,” in World Scientific Reference on cus Timer & Stats,” 2025. [Online]. Available:
Innovation, Chapter 9, pp. 193–210, 2024. [Online]. Available: https://chromewebstore.google.com/detail/ejmfemchnobpkbmnidhb
https://doi.org/10.1142/9789813149106 0009. [Accessed: Jan. 8, bledmajpehnp. [Accessed: Mar. 6, 2025].
2025]. [36] Mozilla Add-ons, ”Focus Timer - Stay Productive,” 2025. [Online].
[16] W. Chang and S. Chen, ”Extension Board: Towards runtime Available: https://addons.mozilla.org/en-US/firefox/addon/focus-
browser extension information leakage detection,” in Proc. IEEE timer-stay-productive/. [Accessed: Mar. 6, 2025].
Conf. Commun. Netw. Security (CNS), 2016. [Online]. Available: [37] Mozilla Add-ons, ”Easy To-Do List,” 2025. [Online]. Available:
https://ieeexplore.ieee.org/document/7860481. [Accessed: Jan. 8, https://addons.mozilla.org/en-US/firefox/addon/easy-to-do-list/.
2025]. [Accessed: Mar. 6, 2025].