ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT060
  • Created: 12th June 2024
  • Updated: 14th June 2024
  • Platforms: Windows, Linux, MacOS,
  • Contributor: The ITM Team

Chrome Browser Extensions

Google's Chrome browser stores details about any browser extensions that are installed, providing the user with additional functionality.

 

On Windows, this information is stored in the following location: C:\Users\[Username]\AppData\Local\Google\Chrome\User Data\Default\Extensions. Several directories will be listed, each one representing an installed extension. The directories and files inside, notably 'manifest.json', will contain information about the extension and its functionality. This can be combined with OSINT to learn more about the extension.

Sections

ID Name Description
IF008Inappropriate Web Browsing

A subject accesses web content that is deemed inappropriate by the organization.

IF008.001Lawful Pornography

A subject accesses lawful pornographic material from an organization device, contravening internal policies on acceptable use of organization equipment.

IF008.002Unlawful Pornography

A subject accesses unlawful pornographic material from a organization device, contravening internal policies on acceptable use of organization equipment and potentially, the law.

IF008.003Terrorist Content

A subject accesses, possesses and/or distributes materials that advocate, promote, or incite unlawful acts of violence intended to further political, ideological or religious aims (terrorism).

IF008.004Extremist Content

A person accesses, possesses, or distributes materials that advocate, promote, or incite extreme ideological, political, or religious views, often encouraging violence or promoting prejudice against individuals or groups.

IF008.005Gambling

A subject accesses or participates in online gambling from a corporate device, contravening internal policies on acceptable use of company equipment.

IF008.006Inappropriate Usage of Social Media

A subject misuses social media platforms to engage in activities that violate organizational policies, compromise security, disclose confidential information, or damage the organization’s reputation. This includes sharing sensitive data, making unauthorized statements, engaging in harassment or bullying, or undertaking any actions that could risk the organization’s digital security or public image.

IF008.007Gaming

A subject accesses or participates in web-based online gaming from a corporate device, contravening internal policies on acceptable use of company equipment.

IF008.008Other Inappropriate Content

A subject accesses other inappropriate web content from a corporate device, contravening internal policies on acceptable use of company equipment.

PR003.004Installing Browser Extensions

A subject can install unapproved browser extensions that provide additional features and functionality to the browser.

ME003.004Browser Extensions

The organization permits the installation or execution of unapproved browser extensions, introducing a mechanism by which web-accessible systems, authentication workflows, or data transactions can be intercepted, altered, or exploited. These extensions often operate with elevated browser-level permissions, including access to cookies, session tokens, clipboard content, keystrokes, or internal URLs. In environments where business systems are browser-based and authenticated via SSO or tokenized workflows, this exposure enables passive surveillance or active manipulation of sensitive operations.

 

Unapproved extensions typically fall outside the control perimeter of traditional endpoint detection tools or access control frameworks. When extension installation is user-controlled or unmonitored, it creates a circumstance in which subjects - intentionally or otherwise - can introduce new capabilities for access, data exfiltration, or surveillance. This includes extensions sourced from public repositories, sideloaded packages, or internally developed tools lacking code review or deployment controls.

 

The presence of ungoverned extension capability constitutes a durable and distributed access mechanism, especially in cloud-forward or hybrid environments where browser access is the primary interface to organizational systems. In many cases, infringement is made possible not by elevated privilege in the operating system, but by the absence of control within the browser execution layer.

IF009.007Installation of Unapproved Browser Extensions

The subject installs browser extensions on a managed device that have not been approved, vetted, or distributed via sanctioned organizational channels. These may include productivity tools, automation agents, data scrapers, content manipulators, or AI-enhanced interfaces. Installations typically originate from GitHub repositories, private developer sites, shared file storage, or sideloading tools that bypass enterprise browser controls.

 

Unapproved extensions introduce unmonitored execution environments directly into the subject’s browser, enabling silent access to sensitive web applications, stored credentials, and internal content. Many request expansive permissions (e.g., webRequest, cookies, tabs, clipboardRead) and operate with persistent background scripts that are difficult to detect through normal endpoint monitoring.

 

This behavior violates Acceptable Use Policies and, depending on the extension’s behavior, may also constitute unauthorized access, data exfiltration, or malware introduction. Some extensions—particularly those hosted on GitHub or distributed through Telegram groups or developer forums—have been found to contain obfuscated payloads, embedded credential harvesters, or cryptojacking modules.

 

Examples include:

 

  • Installing a GitHub-hosted ChatGPT sidebar extension that silently logs visited URLs and API keys used in developer consoles.
  • Deploying a YouTube downloader that injects scripts for ad click fraud or SEO manipulation.
  • Using a browser extension to auto-fill forms with personal data, which transmits data to offshore analytics servers.
  • Loading unpacked or custom extensions that disguise themselves as utilities but include base64-encoded malware installers.

 

While subjects may initially claim curiosity or productivity needs, repeated installation of unapproved extensions—especially after prior enforcement—may indicate normalization of risky behavior or active circumvention of controls.