Browser extension sales, updates pose hidden threat to enterprises | CyberScoop<\/title> <meta name=\"description\" content=\"Some browser extension permissions are too broad, and owners can quickly repurpose pre-approved capabilities for malicious intent, a security researcher told CyberScoop.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/browser-extension-sales-permissions-hidden-threat\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Browser extension sales, updates pose hidden threat to enterprises\"> <meta property=\"og:description\" content=\"Some browser extension permissions are too broad, and owners can quickly repurpose pre-approved capabilities for malicious intent, a security researcher told CyberScoop.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/browser-extension-sales-permissions-hidden-threat\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-03-27T19:06:43+00:00\"> <meta property=\"article:modified_time\" content=\"2025-03-27T19:06:46+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/browser-extension-sales-updates-pose-hidden-threat-to-enterprises-2.jpg\"> <meta property=\"og:image:width\" content=\"2048\"> <meta property=\"og:image:height\" content=\"1216\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1742994400g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1742838279g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1740691656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=a815169637cf454b7376\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/84006\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=84006\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fbrowser-extension-sales-permissions-hidden-threat%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fbrowser-extension-sales-permissions-hidden-threat%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-84006 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/browser-extension-sales-permissions-hidden-threat\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.416849015317\">\n<div class=\"single-article__header-content\" readability=\"36.401869158879\">\n<p> Some browser extension permissions are too broad, and owners can quickly repurpose pre-approved capabilities for malicious intent, a security researcher told CyberScoop. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/84006\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"380\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/browser-extension-sales-updates-pose-hidden-threat-to-enterprises.jpg?resize=640%2C380&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"chrome extension\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/browser-extension-sales-updates-pose-hidden-threat-to-enterprises-2.jpg 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/browser-extension-sales-updates-pose-hidden-threat-to-enterprises-2.jpg?resize=300,178 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/browser-extension-sales-updates-pose-hidden-threat-to-enterprises-2.jpg?resize=768,456 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/browser-extension-sales-updates-pose-hidden-threat-to-enterprises-2.jpg?resize=1024,608 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/browser-extension-sales-updates-pose-hidden-threat-to-enterprises-2.jpg?resize=1536,912 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/browser-extension-sales-updates-pose-hidden-threat-to-enterprises-2.jpg?resize=600,356 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/browser-extension-sales-updates-pose-hidden-threat-to-enterprises-2.jpg?resize=283,168 283w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/browser-extension-sales-updates-pose-hidden-threat-to-enterprises-2.jpg?resize=568,337 568w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/browser-extension-sales-updates-pose-hidden-threat-to-enterprises-2.jpg?resize=1137,675 1137w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/browser-extension-sales-updates-pose-hidden-threat-to-enterprises-2.jpg?resize=1420,843 1420w\" sizes=\"(max-width: 1137px) 100vw, 1137px\"><figcaption> (Stephen Shankland \/ Flickr) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"51.485940246046\"><body readability=\"103.77287066246\"><\/p>\n<p>Sometimes the simplest pieces of software can cause the most complex security headaches for organizations.<\/p>\n<p>Browser extensions, which can be bought, sold and repurposed without warning, are a blind spot for organizations \u2014 ignored and often left unrecognized as a hidden threat. <\/p>\n<p>John Tuckner, founder of the browser extension security company Secure Annex, recently demonstrated how quickly he bought and repurposed an extension to redirect traffic. For this experiment, Tuckner found and purchased an extension named \u201cWebsite Blocker\u201d for $50 and transferred ownership to himself in the Chrome Web Store for a $5 fee.<\/p>\n<p>His experience underscores how difficult \u2014 \u201cabsolutely impossible,\u201d he said \u2014 it is for browser extension users to know when ownership changes hands or extensions they use are repurposed for potentially malicious intent.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cA Chrome Web Store extension listing can say one thing, but once you install it, what\u2019s actually in the code and what\u2019s in the package that you install, that gets really tricky,\u201d Tuckner said in an interview. \u201cThere\u2019s a lot of gray area to declare if something is malicious or not.\u201d<\/p>\n<p>Once Tuckner gained ownership of the extension, he submitted an update to the Chrome Web Store and, hours later, pushed new code to the user base.<\/p>\n<p>\u201cBrowser extension updates, by default, occur automatically and silently when a user\u2019s browser detects a new version available in the Chrome Web Store,\u201d he wrote in a <a href=\"https:\/\/secureannex.com\/blog\/buying-browser-extensions\/\">blog post<\/a>. \u201cOnly if new permissions are requested by the extension is the user ever notified or prompted.\u201d<\/p>\n<p>Google reviews browser extension updates, but the process and resources involved aren\u2019t sufficient to keep up with every ownership and code review change, according to Tuckner. Google did not respond to a request for comment. <\/p>\n<p>The change Tuckner made to the browser extension he purchased was harmless, but proved his point. By using the \u201cdeclarativeNetRequest\u201d API permission the extension was already approved for, Tuckner redirected traffic from a specific URL to a \u201cRickroll,\u201d a meme of Rick Astley\u2019s 1987 hit \u201cNever Gonna Give You Up.\u201d <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Capabilities allowed within some permissions of browser extensions, such as \u201cdeclarativeNetRequest,\u201d are too broad, Tuckner said. \u201cIf I wanted to target a brand like an Office 365 login portal and redirect it to my login portal for phishing, that is all under the same permission that was already within the extension and already approved for use by Google.\u201d<\/p>\n<p>Most browser extension permissions involve a trade-off, balancing functionality with potential privacy concerns or malicious intent.<\/p>\n<p>The tabs permission in browser extensions allows for tab management, but developers can also use that permission to take screenshots of potentially sensitive data and send that information to a third-party server. The cookies permission can access authentication data saved in the browser.<\/p>\n<p>\u201cIf you\u2019re stealing the browser data of an individual, maybe that\u2019s fine. I don\u2019t know, that\u2019s a judgment call for any individual person,\u201d Tuckner said. \u201cBut when you do it at a companywide scale, a lot of security teams don\u2019t really understand or haven\u2019t given enough thought to that potential risk.\u201d<\/p>\n<p>Owners of browser extensions with expansive privileges could ship code updates, repurposing their use to gather potentially sensitive data and sell that information to initial access groups or cybercriminals looking to target a specific organization, according to Tuckner. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cOnce the data is essentially gathered and it goes off to a third party, you kind of lose sight of it,\u201d he said. <\/p>\n<p>While many businesses lock down the administrative rights on employees\u2019 laptops and maintain a tight list of software approved for installation, they often overlook what\u2019s happening in the browser. This effectively allows employees to install any browser extensions they want. <\/p>\n<p>\u201cIt can be really enticing and really easy to install them,\u201d Tuckner said. \u201cIt\u2019s really hard to get them ripped out once that\u2019s done.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"4.1232558139535\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/browser-extension-sales-updates-pose-hidden-threat-to-enterprises-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/browser-extension-sales-permissions-hidden-threat\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Browser extension sales, updates pose hidden threat to enterprises |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[78,4005,256,4006,288,4007],"tags":[86,4008,262,4009,294,4010],"class_list":["post-7482","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-extensions","category-research","category-threat","category-threats","category-web-browsers","tag-cybersecurity","tag-extensions","tag-research","tag-threat","tag-threats","tag-web-browsers"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/extensions\/\" rel=\"category tag\">extensions<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threat\/\" rel=\"category tag\">threat<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/web-browsers\/\" rel=\"category tag\">web browsers<\/a>","tag_info":"web browsers","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7482","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7482"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7482\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7482"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7482,"date":"2025-03-27T14:06:43","date_gmt":"2025-03-27T19:06:43","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=84006"},"modified":"2025-03-27T14:06:43","modified_gmt":"2025-03-27T19:06:43","slug":"browser-extension-sales-updates-pose-hidden-threat-to-enterprises","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/03\/27\/browser-extension-sales-updates-pose-hidden-threat-to-enterprises\/","title":{"rendered":"Browser extension sales, updates pose hidden threat to enterprises"},"content":{"rendered":"