Dropping malicious browser extensions

- The Latest
  Regular reporting on government secrecy, surveillance, and the rights of reporters and whistleblowers.
  - The Classifieds
  - News Releases
- Technology
  Working open source software products to protect journalists, newsrooms, and their sources.
  - SecureDrop
  - Dangerzone
- U.S. Press Freedom Tracker
  A database of press freedom incidents in the United States.
  - Data Visualizations
  - Explore the Database
- Digital Security Education
  Digital security trainings and resources for journalists.
  - Request a Training
  - Guides & Resources
- About Us
  Protecting and defending press freedom when we need it the most.
- Our Team
  - Staff & Contributors
  - Board of Directors
- Transparency
  - Reports & Financials
  - Announcements
- Get in Touch
  - Jobs & Internships
  - Contact Us
Donate

Header image of a laptop with a broken screen, and circuitry in the background. — Electronic Frontier Foundation (CC BY 2.0)

It’s the digital security training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone shared this newsletter with you, please subscribe here.

Extension tension

Browser extensions are small pieces of software for augmenting the behavior of your web browser — for example, extensions designed to block ads. But researchers are finding no shortage of malicious uses for browser extensions that are commonly available on marketplaces like Google’s Chrome Web Store. Researchers at SquareX Labs demonstrated how a malicious extension can be used to detect, impersonate, and then intercept information from users, including password manager extensions like 1Password. These attacks also affect Microsoft Edge and other Chromium-based browsers, which use much of the same underlying technologies used by Google Chrome.

What you can do

Because they can read and alter content in the browser, extensions are very powerful, so you really want to be certain that you need them and trust them before installation. This is a reminder that you can always check for potentially unwanted extensions and remove them to lower your risk. Chrome users can find them here: Three-dot menu > Extensions > Manage extensions
Again, because these attacks apply to Chromium-based browsers, this may also affect Microsoft Edge, Brave (also via Chrome Web Store), and others.
When downloading new extensions, it’s worthwhile to double check that you got them from a legitimate source. Unfortunately, Chrome Web Store is not as secure as we would like against these attacks. So it’s a good idea to research the legitimate source for your preferred extensions — for example, if you want the Electronic Frontier Foundation’s “Privacy Badger” extension, search independently and double-check that the extension listed on the Chrome Web Store matches the one listed at EFF. After confirming, you can feel more confident that you have exactly what you’re looking for and not a copycat.

Updates from our team

In our most recent advice column, we look at the threats journalists face if a prominent person targets them online and what can be done to lower risk. Give it a read.
My colleague Davis Erin Anderson is leading an NYC School of Data session on keeping your data safe in 2025. If you're around NYC, come check it out at 2:30 p.m. on March 29, 2025. Learn more here.

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,
Martin

–

Martin Shelton
Deputy Director of Digital Security
Freedom of the Press Foundation

Dropping malicious browser extensions

Extension tension

What you can do

Updates from our team

Related Posts

Advice column: Why not use my browser as my password manager?

Clawing back your data on X

Passkeys: Passwordless logins for beginners

Extension tension

Get Weekly Tips & Advice

What you can do

Updates from our team

Related Posts

Advice column: Why not use my browser as my password manager?

Clawing back your data on X

Passkeys: Passwordless logins for beginners

Sign Up. Take Action.