Browser extensions stole sessions

A browser extension is a mini-program inside Chrome, and this week researchers said 108 of them were quietly stealing sessions, account data, and ad revenue from users. (socket.dev) Socket said the 108 extensions were tied to one command-and-control domain, published under five seller names, and had about 20,000 Chrome Web Store installs combined when the report was published on April 13, 2026. (socket.dev) The researchers said 54 extensions harvested Google account identity data through OAuth, one stole Telegram Web sessions every 15 seconds, three stripped security headers on YouTube or TikTok pages to inject ads, and 45 carried a backdoor that could open arbitrary pages when Chrome started. (socket.dev) A session is the proof that a site has already logged you in, usually stored in cookies or browser storage, and stealing it can let an attacker act as you without your password. Chrome’s extension system allows add-ons with the right permissions to read cookies and change page behavior on approved sites. (developer.chrome.com 1) (developer.chrome.com 2) That is why a harmless-looking add-on can become a security problem: Chrome permits extensions to request powers such as reading cookies, changing data on websites, or starting with the browser before a user opens a window. (developer.chrome.com) A separate April 14 analysis from Cybernews said claims of a giant LinkedIn “BrowserGate” espionage scandal went too far, even though analyst Tyler Reguly said LinkedIn was using a real technique called resource probing to check whether some extensions were installed. (cybernews.com) Two class-action complaints were filed in the Northern District of California on April 7 over those LinkedIn scans, and LinkedIn told MediaPost the allegations were “a house of cards built entirely upon a fabrication.” The company also said it checks for extensions that scrape data or violate its terms, not to infer sensitive traits. (mediapost.com) The two stories are not the same. In the Chrome campaign, researchers described code that exfiltrated tokens and sessions to attacker-controlled servers; in the LinkedIn dispute, the confirmed behavior was website code probing for installed extensions, with the broader spying claims still disputed. (socket.dev) (cybernews.com) (mediapost.com) Google’s extension model still depends heavily on permissions, store review, and user trust, and Socket said the malicious extensions were still live when it published its report and that it had sent takedown requests to Chrome Web Store security and Google Safe Browsing. (socket.dev) The immediate question is not whether extensions are useful; it is which ones can read the same login proof that keeps email, messaging, and video accounts open in a browser tab. (developer.chrome.com) (socket.dev)