Malicious Browser Extensions at Scale: Bridging the Observability Gap between Web Site and Browser


Louis F. DeKoven, Stefan Savage, and Geoffrey M. Voelker, UCSD; Nektarios Leontiadis, Facebook


Browser extensions enhance the user experience in a variety of ways. However, to support these expanded services, extensions are provided with elevated privileges that have made them an attractive vector for attackers seeking to exploit Internet services. Such attacks are particularly vexing for the sites being abused because there is no standard mechanism for identifying which extensions are running on a user’s browser, nor is there an established mechanism for limiting the distribution of malicious extensions even when identified.

In this paper we describe an approach used at Facebook for dealing with this problem. We present a methodology whereby users exhibiting suspicious online behaviors are scanned (with permission) to identify the set of extensions in their browser, and those extensions are in turn labelled based on the threat indicators they contain. We have employed this methodology at Facebook for six weeks, identifying more than 1700 lexically distinct malicious extensions. We use this labelling to drive user device clean-up efforts as well to report to antimalware and browser vendors.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {205855,
author = {Louis F. DeKoven and Stefan Savage and Geoffrey M. Voelker and Nektarios Leontiadis},
title = {Malicious Browser Extensions at Scale: Bridging the Observability Gap between Web Site and Browser},
booktitle = {10th USENIX Workshop on Cyber Security Experimentation and Test (CSET 17)},
year = {2017},
address = {Vancouver, BC},
url = {},
publisher = {USENIX Association},
month = aug