Browser extensions the invisible enemy that steals 2FA and opens the door to your accounts

In recent weeks the security community has re-lit the alarms on a silent enemy that many users underestimate: browser extensions. What at first sight seems small profits to save time or add functions - from code generators to smart assistants - is being used by malicious actors to steal valuable information without being noticed by those who install them.

A recent and particularly worrying case was an extension that was promoted as a tool to comfortably exploit Meta Business Suite and Facebook Business Manager. Research Socket They analyzed this extension and found that, in addition to seemingly legitimate functions such as 2FA code generation or deletion of verification windows, their code collected TOTP secrets (seeds that generate temporary codes) and single-use codes, as well as business manager's "People" section exports and analytical data. All of this was sent to an infrastructure controlled by the attacker, with options to send information to Telegram channels. An extension with just dozens of facilities can offer the key to high-value accounts and contacts, because it allows to identify interesting objectives and prepare for subsequent attacks.

The technique is not new: attackers take advantage that extensions, once authorized by the user, can interact with authenticated pages and read content that remains within the browser context. Therefore, even if the extension does not explicitly steal passwords, if the opponent already has credentials through other ways - for example, from infostealers or leaks - the ability to capture 2FA codes facilitates unauthorized access. To understand the technical scope and evidence, Socket's research provides details that should be carefully reviewed if you manage advertising or administration accounts in Meta.

In parallel, another outstanding report came from Koi Security, which documented a massive campaign against VKontakte users. There, extensions disguised as themes or music downloads injected JavaScript opuscated on each VK page, automatically subscribed users to groups controlled by the attacker, manipulated configurations and even exploited CSRF to overcome protections. The operation used an intelligent technique to hide URLs from the following stage: HTML metadata from a public profile served as "dead drop" to solve where the payload was hosted. The author of the attack maintained a public repository in which multiple commitments were observed for months, suggesting that it was not an amateur explosion but a project with continued maintenance and improvement.

If we add another block of research, the image gets bigger. The LayerX firm unveiled a network of extensions that posed as IA assistants, installed by hundreds of thousands of users, and actually loaded an iphrame to a remote domain that could change the functionality of the extension in real time. According to LayerX, these iframes could order the extension to extract legible text from the page using bookstores such as Readability, activate voice recognition and send transcripts to the attacking server, or even read the visible Gmail content when the user entered mail.google.com. The danger is that malicious behavior can come without going through the process of updating the official repository, because the remote iphrame controls what is shown and what is collected.

The magnitude of the problem has also been quantified by other groups. A public repository maintained by researchers found hundreds of extensions that send the browsing history to intermediaries and data brokers, with tens of millions of facilities together. Q Continuum's research, for example, documents a wide collection of spy extensions with a global reach of millions of users ( see details). It is confirmation that this is not isolated incidents, but a pattern in which extensions are monetized or reused for espionage and fraud.

Against this background, defence requires practical decisions and, above all, sustainable habits. First, it is appropriate to apply the principle of minimum exposure: to install only extensions that you really need and come from developers with verifiable reputation. To review the permissions that request an extension before accepting its installation is essential, because many risks materialize when the user authorizes access to sensitive domains or to the entire browsing history. In addition, regularly audit installed extensions and remove those that do not use reduces the attack surface.

For those who manage corporate environments or manage critical accounts, there are more forceful measures: using separate browser profiles for personal and professional tasks, enabling pricing policies to control which extensions can be installed and, where possible, choosing authentication mechanisms that do not depend exclusively on removable TOTP codes. WebAuthn-based security keys offer a major technical barrier against the theft of single-use factors; to deepen that option, it is useful to review the documentation on web authentication such as the one it maintains MDN Web Authentication API. Google also offers guides on how permissions work and how to manage extensions from the Chrome Web Store, which can serve as a reference for less technical users: explanation of permits and how to remove an extension.

It is not appropriate to fall into the false safety of thinking that few users involve low risk. As research officials have pointed out, extensions with a limited number of facilities can be recognition tools and entry door to corporate objectives or high-privilege accounts. Digital hygiene is an essential first line of defence: review who publishes the extension, read reviews in critical spirit, check updates and corroborate safety community findings before trusting sensitive data to a browser complement.

If you want to go into the above cases, I recommend reading the analyses published by the organizations themselves that revealed them: the technical report on the extension that steals TOTP seeds and Meta exports by the Socket, the report of Koi Security about VK Styles and the study LayerX about the false extensions of IA. For a practical guide on general risks and recommendations, this training resource is useful: Security tips on browsers.

At the end of the day, extensions are powerful tools that expand the browser; they can also become security holes if they are not handled carefully. Maintaining technical curiosity without sacrificing prudence is the best way to prevent a simple complement from leading to a larger gap in your accounts or in your organization's data.