![\"A](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/04\/creepy-potentially-dangerous-Google-Chrome-extensions-cookies-purple-bg-600x300-1.jpg\")
<\/p>\n<\/p>\n
Though popular, Web browsers extensions are not necessarily safe. Just like any software you might install on your computer, they can contain malicious code designed to do evil things. The latest demonstration of extensions’ potential harm comes in the form of a proof-of-concept (PoC) malware attack. Security researchers have developed “Cookie-Bite,” which exhibits how Chrome extensions can surreptitiously hijack session tokens.<\/p>\n
In plain English, that means that bad guys can log into almost any site as if they were you. And all they have to do is trick you into installing a seemingly harmless browser extension. Or, if they’ve gained access to your computer, they can install the malicious extension without you knowing about it.<\/p>\n
Let’s explain how the Cookie-Bite attack concept works\u2014and why you might want to avoid installing extensions in general.<\/p>\n
Generally speaking, whenever you log into a site, you have to enter your username and password. You might even have to go through an additional step, for two-factor authentication<\/a> (2FA, aka two-step verification or 2SV). After that, your browser creates a “session cookie”\u2014a text file containing coded information that keeps you logged into the site. If a threat actor steals that cookie and puts it on their own computer, they’ll usually be instantly logged in as you\u2014bypassing the need to have your username, password, and 2FA method.<\/p>\n The researchers who developed Cookie-Bite limited its scope<\/a> to stealing Microsoft cookies used for authentication. But, they point out, it could just as easily be redesigned to steal cookies related to Google or any number of other sites\u2014presumably including Apple services like iCloud.<\/p>\n Cookie-Bite monitors whenever the victim visits Microsoft login pages. As soon as the browser saves the cookies, the extension exfiltrates them to the attacker. It does so by submitting a Google Form in the background\u2014entirely without the user’s knowledge or consent.<\/p>\n When the researchers uploaded their proof-of-concept extension to VirusTotal, none of its more than 60 antivirus engines detected the extension as malicious.<\/p>\n Although the extension was designed to work with Google Chrome, it would presumably work in most of today’s Mac, Windows, and Linux browsers. Chrome is the most popular desktop browser in the world, with a roughly 66% market share<\/a>. Microsoft Edge\u2014which is also based on Chromium, the open-source version of Chrome\u2014is number two, with a 13% market share. These and other Chromium-based browsers support extensions from Google’s Chrome Web Store<\/a>.<\/p>\n In the past, we’ve reported pretty extensively about why it’s crucial to avoid installing browser extensions.<\/p>\n A couple years ago, we noted<\/a> on the Intego Mac Podcast<\/a> that dozens of extensions in the Chrome Web Store contained unwanted and undisclosed search-hijacking code. These extensions had been installed 87 million times before Google finally removed them from the store.<\/p>\n Even good extensions can turn bad. Developers often lose interest in working on a project; many threat actors posing as legitimate developers swoop in and offer money to take over abandoned projects.<\/p>\n On top of that, overtly malicious extensions have also made their way into the Chrome Web Store. As just one example, in March 2023 we wrote about a fake ChatGPT extension that hijacked Facebook accounts<\/a>. It used a method similar to the Cookie-Bite PoC, but this “FakeGPT” was actual, in-the-wild malware.<\/p>\n And malware isn’t the only concern. Just this past August, we wrote about how 40,000 extensions\u2014with 500 million users\u2014contained at least one known vulnerability<\/a>. This accounted for almost one-third of all extensions in the Chrome Web Store at the time.<\/p>\n My recommendation is to avoid using any extensions at all\u2014unless you’re absolutely sure you can trust the developer.<\/strong><\/p>\n Advertisement and tracker blockers are among the most popular extensions. The only ad-blocking extension that I both trust and personally use is uBlock Origin<\/a> by Raymond Hill. Wladimir Palant’s Adblock Plus<\/a> is fine, too; both developers understand browser security well. Better yet, you can use a browser with built-in ad blocking, such as Brave<\/a>, a privacy-focused, Chromium-based browser; see our comparison of desktop browser privacy<\/a>.<\/a><\/p>\n We discussed Cookie-Bite in episode 393<\/a> of the Intego Mac Podcast<\/a>:<\/p>\nAvoid extensions whenever possible<\/h3>\n
How can I learn more?<\/h3>\n