Browser Security & Extension Auditing
Audit your browser extensions, understand Manifest V3 security implications, resist fingerprinting, and compartmentalize browsing with profile isolation.
The Extension Threat Model
Your browser is the most attacked application on your system. It processes untrusted input from the entire internet, manages your most sensitive sessions (banking, email, source code), and runs third-party extensions with remarkable levels of access.
Browser extensions are the insider threat of your browser. They operate with permissions you granted months ago, execute code that updates silently, and can read or modify every page you visit.
How Extensions Get Compromised
1. Malicious From the Start
Extensions published specifically to steal data. Common patterns:
- "Free VPN" extensions that proxy all traffic through attacker-controlled servers
- Productivity tools that harvest browsing history and sell it to data brokers
- Extensions that inject affiliate codes into e-commerce pages
2. Supply Chain Takeover
The more dangerous variant: legitimate extensions acquired or compromised after gaining a user base.
The Great Suspender (2021): A popular Chrome extension with 2M+ users was sold to an unknown entity that pushed a malicious update containing tracking code. Google eventually pulled it, but millions of users had already been compromised.
UAParser.js (2021): An npm package used by millionsβincluding browser extensionsβwas hijacked via compromised maintainer credentials. Cryptomining and password-stealing malware was injected.
3. Overly Broad Permissions
Many legitimate extensions request far more permissions than they need:
// manifest.json β A "dark mode" extension that wants EVERYTHING
{
"permissions": [
"activeTab",
"tabs",
"storage",
"webRequest",
"webRequestBlocking",
"<all_urls>"
],
"content_scripts": [{
"matches": ["<all_urls>"],
"js": ["content.js"],
"run_at": "document_start"
}]
}
This extension can read and modify every page you visit, intercept all HTTP requests, and access all open tabs. For a dark mode toggle. The <all_urls> permission combined with webRequest means it can see your banking sessions, read your email, and capture form submissions including passwords.
Permission Risk Levels
| Permission | Risk | What It Allows |
|---|---|---|
<all_urls> |
π΄ Critical | Read/modify content on ALL websites |
webRequest + webRequestBlocking |
π΄ Critical | Intercept, modify, or block all HTTP traffic |
tabs |
π High | See all open tab URLs and titles |
cookies |
π High | Read/write cookies for any site |
history |
π High | Full browsing history access |
bookmarks |
π‘ Medium | Read all bookmarks |
storage |
π’ Low | Extension-local storage only |
activeTab |
π’ Low | Temporary access to current tab only when clicked |
contextMenus |
π’ Low | Add items to right-click menu |
Auditing Your Extensions
Right now, go to your browser's extension page and audit what's installed:
Chrome: chrome://extensions/
Firefox: about:addons
For each extension, ask:
- Do I still use this? (If not, remove it.)
- What permissions does it have? (Click "Details" β review permissions)
- When was it last updated? (Abandoned extensions are takeover targets)
- Who is the developer? (Is it a known company or an anonymous individual?)
- Does it have source code available? (Open-source extensions can be audited)
# Chrome: List all installed extension IDs and names
# On macOS:
for dir in ~/Library/Application\ Support/Google/Chrome/Default/Extensions/*/; do
manifest="$dir/$(ls -t "$dir" | head -1)/manifest.json"
if [ -f "$manifest" ]; then
name=$(python3 -c "import json; print(json.load(open('$manifest')).get('name', 'Unknown'))" 2>/dev/null)
echo "$(basename $dir): $name"
fi
done
The safest extension is one you don't install. Every extension increases your attack surface. Aim for fewer than 10, ideally fewer than 5.