18 Chrome Extensions Caught Scraping Banking Dashboards
Koi Security published a report identifying eighteen Chrome and Edge extensions, with a combined three million installs, that scrape user banking dashboards and session data. This video walks through the technical pattern, the precedent set by the December 2024 Cyberhaven incident, and why Manifest V3 and the Chrome Web Store's automated review pipeline failed to stop it.
Covered in this episode:
18 malicious extensions across Chrome and Edge, ~3M combined installs (Koi Security report)
December 2024 Cyberhaven incident: phished developer account, malicious update pushed to users
All flagged extensions declare Manifest V3, mandatory across the Web Store since June 2024
Permission patterns: host_permissions on banking domains, scripting, storage, and cookies APIs
Chrome Web Store automated review pipeline described in Google's February security blog post
Google Chrome Security team's Web Store review policy update scheduled for December
00:00 Malicious Chrome extensions stealing banking data
00:50 Cyberhaven developer phishing incident parallels
02:23 Extensions request dangerous permissions tactics
05:35 Chrome Web Store review system failures
09:19 Google addresses policy update timeline
Sources referenced: Koi Security's published research report, Cyberhaven's December 2024 post-incident disclosure, Google's Chrome Security blog (February), and Google's Chrome Web Store developer policy documentation.