DEF CON 29 – Barak Sternberg – Extension Land: Exploits and Rootkits in Your Browser Extensions

Browser extensions are installed anywhere, they serve as an integral part of our day-to-day web routine, from AdBlockers to Auto-Translators. But – do we know what is running inside of them? Do we know what goes deep-down inside their communication routines? How do they use their internal API’s? And how do their different JS execution contexts work?

In this session, I will explore these unique internal extension API’s, hidden attack-surfaces and show how these concepts can be broken & exploited using new ways! I start showing how an attacker can “jump” from one low-permissions chrome-app/extension to another, hence elevating its permissions. Then, I will show how to gain full “browser-persistency” inside extensions’ background-scripts context.

Chaining it all together, I show how attacker, starting from low permissions chrome-app, gains a fully-armed “extension-rootkit”, a persistent JS-malware running inside of a “good” extension, along with C&C features, JS injection techniques to any tab/origin, obfuscation-techniques and more. Eventually, I will present a generic technique, targeting all chrome-users, for taking over any previously installed chrome extension and implant an “extension-rootkit” in it.

[1] Chrome Developers: Chrome extensions API Reference,
[2] Chrome Developers: Chrome extensions Manfiest v2/v3 Security References, &
[3] “Websites Can Exploit Browser Extensions to Steal User Data”, 2019 – /
[4] “Web Browser Extension User-Script XSS Vulnerabilities”, 2020 –
[5] “Detecting DOM-Sourced Cross-Site Scripting in Browser Extensions”, 2017 –
[6] “Attacking browser extensions”, Nicolas Golubovic, 2016 –
[7] “A Combined Static and Dynamic Analysis Approach to Detect Malicious Browser Extensions”, 2018 –
[8] “Chrome Extensions: Threat Analysis and Countermeasures”, 2012 –
[9] “Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies”, Usenix Security 2017 –
[10] “Protecting Browsers from Extension Vulnerabilities”, 2010 – More