2025-08-04 –, Tuscany
Malicious browser extensions are an emerging attack vector to steal user identity information and passwords. This session will provide a detailed breakdown of how browser extensions can be used for theft of credential data, and a technical analysis of what permissions and methods compromised extensions invoke to steal passwords and other authentication details.
As part of this session, we will walk through the emergence of browser extensions as a threat vector, discuss how they become compromised, and then explore in detail the types of the password and credential data that can be stolen, and how they do it. We will describe specific permissions and techniques used by extensions to steal password information, and show live examples. Finally, we will discuss best practices and methods on how individuals and organizations should protect themselves against such tactics.
This talk has 3 main parts to it:
1. A discussion of browser extensions as an emerging threat vector to steal identity data.
2. A technical exploration of the methods, permissions and calls invoked by browser extensions, what data they can reach, and how they can extract password information.
3. A discussion of the how to counter these tactics, and best practices for security.
In part I, we will talk about the emergence of browser extensions as a threat surface and a risk factor. We’ll share statistics (collected by LayerX’s internal metrics from our customer base) of the distribution of browser extensions (99% of enterprise users have >1 extensions, 53% of users have >10 extensions), permission scope of extensions (53% of users have extensions with high/critical permissions), and data on individual permissions (such as identity, cookies, scripting, and others). We’ll also discuss how extensions become compromised: whether they are built as malicious extensions, become compromised (a-la Cyberhaven incident), or transfer ownership (via sale of extensions), and provide real-life examples of each type.
In Part II, we will proceed to a technical discussion of what types of password and authentication data extensions can access:
• Web cookies
• Session information
• Application access tokens
• Authentication certificates
• Passwords
• Keyboard strokes / input information
And also of the various methods for collecting this information:
• Identity API
• Cookies API
• Scripting permissions
• Tabs management permissions
• Input method calls
• webNatigation and webRequest APIs to control web traffic
• and more
In Part III, we will bring these concepts together and propose a framework for auditing, assessing the risk and enforcing protection against malicious browser extensions.
Or Eshed is co-founder and CEO of LayerX Security. Or has over 15 years of cybersecurity experience sa an ML developer, security and intelligence researcher, and cybersecurity analyst. Prior to founding LayerX, Or worked as a cyber threat intelligence analyst at Check Point, Otorio, and ABN AMRO Bank. His work has led to the arrest of at least 15 threat actors and the exposure of the largest browser hijacking operation in history with over 50M browsers compromised. He has also written and spoken on topics of cybersecurity extensively. In addition, Or holds an MSc in Applied Economics from the Hebrew University of Jerusalem.