Behind the Browser Analysing Chrome Extension Risks
Chrome extensions have become integral to our browsing experience, adding functionality and convenience. However, they also introduce new security risks that are often overlooked. Over the last 5 years, thousands of extensions have been delisted by Google as they have been found to be malicious or had unintended behavior. In this presentation, I will reveal the findings of my in-depth research on Chrome browser extension risks, highlighting implementation flaws, permission overreach, common vulnerabilities, and finally how to detect these malicious extensions in your own environment.
I will showcase real-world case studies demonstrating how attackers have exploited popular extensions to steal sensitive user data, hijack accounts, and even gain control over victims' browsers. I will also present a categorization of browser extension risks, highlighting prevalent attack techniques and vulnerable components.
Furthermore, I will introduce practical mitigation strategies for extension developers and security-conscious users seeking to minimize risks. To assist the security community, I will share the open-source pipeline we created and some tools we used to analyze and secure Chrome extensions.
Shannon is a Staff Security Strategist within Splunk SURGe. He hails from Melbourne, Australia. Originally from Seattle, Washington, he has worked in a number of varied roles. He has been a video game tester at Nintendo (Yoshi's Island broke his spirit), a hardware tester at Microsoft (handhelds have come a long way since then), a Windows NT admin for an early security startup and one of the first Internet broadcast companies, along with security roles for companies including Juniper and Cisco. Shannon enjoys getting outdoors for hikes and travelling.
James works as a Security Strategist within the SURGe team at Splunk. He calls Brisbane, Australia home and has spent much of his career supporting the state law enforcement and emergency services. When he's not solving problems in Python, he's being "that guy" about how Rust avoids the bugs of the past, or contributing to open source projects. He claims it's rarely DNS.