Inside the Threat: Designing and Deploying Malicious Browser Extensions to Understand Their Risk

Inside the Threat: Designing and Deploying Malicious Browser Extensions to Understand Their Risk

Level of Instruction: Intermediate

Instructed by: Or Eshed, Aviad Gispan

Abstract:

Browser extensions have quietly become one of the most underappreciated attack surfaces. While marketed as productivity enhancers, many of these extensions operate with elevated privileges that rival native malware in terms of access to sensitive user and organizational data.

This hands-on workshop takes a deep dive into how browser extensions operate under the hood and exposes how easily legitimate APIs can be weaponized to exfiltrate credentials, hijack sessions, monitor user behavior, and leak sensitive corporate information. By reverse-engineering real-world extension behavior and building functioning proof-of-concept (PoC) malicious extensions, participants will gain a direct understanding of the risks these extensions pose.

Through practical exercises, participants will:

- Learn the browser extension architecture and permission model

- Examine key APIs commonly misused for surveillance or data theft

- Build PoC malicious extensions that exfiltrate session cookies, read passwords, record keystrokes, capture DOM content, and more

- Analyze techniques for stealth, obfuscation, and evasion

- Explore detection blind spots in endpoint and SSE security tools

- Review mitigation strategies and enterprise hardening recommendations