Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Study on Malicious Browser Extensions in 2025

Shreya Singh, Gaurav Varshney, Tarun Kumar Singh, Vidhi Mishra, Khushi Verma

TL;DR

This paper investigates the malicious browser extension (MBE) threat landscape in 2025 with a focus on Chrome and Firefox. Through lab-based experiments conducted Jan–May 2025 using MV3 for Chrome and MV2 for Firefox, it demonstrates that MBEs can bypass store vetting and execute data theft, surveillance, and content manipulation. The study highlights persistent weaknesses in extension review processes, including obfuscated payloads and post-publication updates, and contrasts Chrome's stricter policies with Firefox's more permissive approach. It proposes concrete defenses—sandboxed pre-publication testing, real-time behavioral analytics, permission-change alerts, and post-publication telemetry—and calls for industry-wide collaboration to strengthen browser security across platforms.

Abstract

Browser extensions are additional tools developed by third parties that integrate with web browsers to extend their functionality beyond standard capabilities. However, the browser extension platform is increasingly being exploited by hackers to launch sophisticated cyber threats. These threats encompass a wide range of malicious activities, including but not limited to phishing, spying, Distributed Denial of Service (DDoS) attacks, email spamming, affiliate fraud, malvertising, and payment fraud. This paper examines the evolving threat landscape of malicious browser extensions in 2025, focusing on Mozilla Firefox and Chrome. Our research successfully bypassed security mechanisms of Firefox and Chrome, demonstrating that malicious extensions can still be developed, published, and executed within the Mozilla Add-ons Store and Chrome Web Store. These findings highlight the persisting weaknesses in browser's vetting process and security framework. It provides insights into the risks associated with browser extensions, helping users understand these threats while aiding the industry in developing controls and countermeasures to defend against such attacks. All experiments discussed in this paper were conducted in a controlled laboratory environment by the researchers, adhering to proper ethical guidelines. The sole purpose of these experiments is to raise security awareness among the industry, research community, and the general public.

A Study on Malicious Browser Extensions in 2025

TL;DR

This paper investigates the malicious browser extension (MBE) threat landscape in 2025 with a focus on Chrome and Firefox. Through lab-based experiments conducted Jan–May 2025 using MV3 for Chrome and MV2 for Firefox, it demonstrates that MBEs can bypass store vetting and execute data theft, surveillance, and content manipulation. The study highlights persistent weaknesses in extension review processes, including obfuscated payloads and post-publication updates, and contrasts Chrome's stricter policies with Firefox's more permissive approach. It proposes concrete defenses—sandboxed pre-publication testing, real-time behavioral analytics, permission-change alerts, and post-publication telemetry—and calls for industry-wide collaboration to strengthen browser security across platforms.

Abstract

Browser extensions are additional tools developed by third parties that integrate with web browsers to extend their functionality beyond standard capabilities. However, the browser extension platform is increasingly being exploited by hackers to launch sophisticated cyber threats. These threats encompass a wide range of malicious activities, including but not limited to phishing, spying, Distributed Denial of Service (DDoS) attacks, email spamming, affiliate fraud, malvertising, and payment fraud. This paper examines the evolving threat landscape of malicious browser extensions in 2025, focusing on Mozilla Firefox and Chrome. Our research successfully bypassed security mechanisms of Firefox and Chrome, demonstrating that malicious extensions can still be developed, published, and executed within the Mozilla Add-ons Store and Chrome Web Store. These findings highlight the persisting weaknesses in browser's vetting process and security framework. It provides insights into the risks associated with browser extensions, helping users understand these threats while aiding the industry in developing controls and countermeasures to defend against such attacks. All experiments discussed in this paper were conducted in a controlled laboratory environment by the researchers, adhering to proper ethical guidelines. The sole purpose of these experiments is to raise security awareness among the industry, research community, and the general public.

Paper Structure

This paper contains 18 sections, 9 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Browser Extensions
  3. Malicious Browser Extension Based Attacks
  4. Literature Review on MBEs
  5. Advancements and Limitations in Browser Extension Security (2012–2024)
  6. Malicious Browser Extensions: Threat Landscape in 2025
  7. Experimenting Browser MBEs in 2025
  8. Cookie Stealing Extension
  9. Keylogger Extension
  10. Screenshot Capture by Browser Extension
  11. History Tracker by Browser Extension
  12. Auto-Like YouTube Videos
  13. Manipulation of Web Content by Browser Extensions
  14. Camera Auto On by Browser Extension
  15. Injecting Advertisement through Browser Extensions
  16. ...and 3 more sections

Figures (9)

  • Figure 1: Cookie stealing operation in Chrome and Firefox extensions.
  • Figure 2: Keylogger operation in Chrome and Firefox extensions.
  • Figure 3: Screenshot capture process in Chrome and Firefox extensions.
  • Figure 4: Demonstration of a history-tracking extension in Chrome and Firefox.
  • Figure 5: YouTube Auto-Like Extension in Chrome and Firefox.
  • ...and 4 more figures