Craig Young, Cybersecurity Researcher for Tripwire says, “With so many critical business and financial activities occurring within the web browser, malicious extensions and add-ons must be considered a prime target for infection.
As with browser interstitials warning of invalid SSL certificates, many users likely gloss over the permissions declaration when installing extensions or do not recognize the risk of allowing an extension to have access to read data from web sites. The reality though is that extensions are allowed to run in a very privileged browser context giving access to authentication tokens as well as the ability to scan local networks. Normally sites loaded within the browser are restricted from reading content from other sites via the same-origin policy. This is what keeps an advertisement on a news site from transferring money out of the banking site open in another tab.
Recently a number of gamers on the Steam platform learned this lesson the hard way as a number of malicious browser extensions were found to be stealing in-game items with real-world value.
Security organizations should educate employees on the risks of running browser extensions as well as auditing workstations for unapproved use.”