Inside the Threat: Designing and Deploying Malicious Browser Extensions to Understand Their Risk

Presented at DEF CON 33 (2025), Aug. 8, 2025, 9 a.m. (240 minutes).

Browser extensions have quietly become one of the most underappreciated attack surfaces. While marketed as productivity enhancers, many of these extensions operate with elevated privileges that rival native malware in terms of access to sensitive user and organizational data. This hands-on workshop takes a deep dive into how browser extensions operate under the hood and exposes how easily legitimate APIs can be weaponized to exfiltrate credentials, hijack sessions, monitor user behavior, and leak sensitive corporate information. By reverse-engineering real-world extension behavior and building functioning proof-of-concept (PoC) malicious extensions, participants will gain a direct understanding of the risks these extensions pose. Through practical exercises, participants will: - Learn the browser extension architecture and permission model - Examine key APIs commonly misused for surveillance or data theft - Build PoC malicious extensions that exfiltrate session cookies, read passwords, record keystrokes, capture DOM content, and more - Analyze techniques for stealth, obfuscation, and evasion - Explore detection blind spots in endpoint and SSE security tools - Review mitigation strategies and enterprise hardening recommendations

Presenters:

• Or Eshed - CEO at LayerX Security
  Or Eshed is CEO and co-founder at LayerX Security. Prior to founding LayerX, Or worked for 12 years as a cybersecurity and OPSEC expert at ABN AMRO Bank, Otorio, and Check Point, where he led the takedown of the world's largest browser hijacking operation with over 50M browsers compromised, and his work led to the arrest of more than 15 threat actors. Or also has an MSc in Applied Economics from the Hebrew University of Jerusalem.
• Aviad Gispan - Senior Researcher at LayerX Security
  Aviad Gispan is a Senior Researcher at LayerX Security, with over a decade of experience in browser security, JavaScript, and frontend architecture. He develops sandbox technologies to detect malicious extensions and researches advanced techniques to strengthen browser-based protection. Previously, Aviad led innovation in Proofpoint’s Web Isolation group, focusing on performance optimization and resource efficiency.

Similar Presentations:

• DEF CON 33 (2025) / DVBE - Damn Vulnerable Browser Extension Demo
• Black Hat Asia 2016 / Automated Detection of Firefox Extension-Reuse Vulnerabilities
• DEF CON 29 (2021) / Extension-Land: exploits and rootkits in your browser extensions