Welcome to 1st issue of OSINT Pros. This post is technical and it’s about the risks of using browser extensions in your work along with a few solutions to stay safe.
🤔Think for A Minute
Before we move ahead, let’s do a small task?
Ask yourself how many browser extensions are installed in your browser?
How many of them have you used in last 7days?
Do you remember when the last time was you reviewed them?
Can you trust the developers of these extensions?
Overview
If you search OSINT browser extensions on google, you will find a lot of useful collections including our own, Awesome Browser Extension for OSINT.
We have 363⭐ and 28 forks. I remember when we created this repo and posted about in our socials, our post got amazing views, it got view in thousands, like and bookmarks in hundreds. Everything looks good but here’s the other side of the story, we haven’t updated this repo from almost a year. We haven’t reviewed any of the extensions mentioned on this repo from a really long time. A lot of people trust us and will install any extension mentioned in our repo without giving a second thought and the problem arises from here. What if we by mistake accepted a pull request and a malicious browser extension gets added on this collection? Or What if a browser extension that’s mentioned on our collections gets sold out and the new owners uses it for malicious purpose?
All this may have been sounding like a fairy tale but you will see these things happenings in real world.
I don’t know about others, but i always take responsibility of what i post anywhere on the internet. But not everyone has same perspective. Cybersecurity and OSINT industry is full of people who will promote a new product for money without even trying it once. If you think, it’s kidding, just give a 1000$ and i will show you a real-world demo of this.
Case Study -
OsintS was a malicious Firefox extension. It was presented as a “powerful browser extension” designed to optimize OSINT workflows and improve research efficiency for cybersecurity professionals, investigative journalists, and OSINT beginners. In feb25, ProjectFox wrote a detailed blog about it which went viral. Before that, Back in April 2024, a malware called OsintX was distributed on the Discord server of the OSINT-FR community. This slip-up is the first clue suggesting that the same malicious actor is behind both extensions and failed to fully modify the description when publishing OsintS.
Recommended Reading
Last year, while exploring twitter, i came across a blog which changed my point of view. It was writeup by a person who bought a popular browser extension and showed his POV. Read Buying browser extensions for fun and profit.
Let’s now understand what can be done by a browser extension.
For this you need to know the fundamentals of Web. Whenever you login on a website, it stores a cookie or token (consider it to be a random long string) in your browser. Then every time you open any page on that website, your browser sends that cookie/token in that request that is sent to server for data fetching. A lot of extensions ask for permission for reading cookies and if you have given that, they can steal your cookie/token and can misuse it. Your cookie/token is your digital card, if someone has that, they can do anything on that website that you can do on most websites.
Profiler.me is our own product. We use JWT for authentication just like other websites. Due to security reasons, our JWT is short-lived, they will work only for 30min and renews after every 30min. If you have installed any malicious extension and gave them permission to access cookies on all pages, they can view JWT token stored in your browser and that token can be used to perform search on our platform on behalf of you, they can view your search history, billing page, etc depending on your setting in your account on our platform.
This is not a security issue on our platform, this is how internet works and is designed to be working. While we issue short lived token, most website issue token with validity usually from a month to 12months, so they can continue to use that token for such a long time without you even being noticing.
Forget this, let me give you one more example.
A lot of OSINT tools give API access. So, when you are generating an API key on their website, this extension can also read those API key in most of the cases. In many cases, people themselves share their API keys to extension that provides feature for ease of usage.
I can think that much is enough to understand how much harmful it can be. Now, let’s talk about solution of these.
Use Less browser extensions - Don’t install browser extension just for fun. If you want to try out new browser extension, do them in a separate browser.
Check the permission - Pay attention to what permission they are asking, If it asks for a permission that is not expected, it’s a red flag.
Verify the developer - Always pay attention to who is developer of that browser extension. Try to verify their identity, hackers are also very smart so don’t expect they will give you any chance to you for suspecting them. They try to look as much as legitimate as possible. Some even buys fake ratings to look legitimate.
Don’t get excited by seeing a new collection - If you came across a new collection of browser extension, pay attention to when that collection, blog, article or post is written, who has written them and when. Sometime hackers themselves spread these collections.
Check if someone has already reported it malicious - There are lots of feeds of malicious browser extension. I personally use, ExtSentry, it’s a open source project on browser extension threat intelligence. It has a feed of 1780malicious extension and 99 sensitive extensions. It has lots of cool features that you can read about on their website.
Link - https://extsentry.github.io/#dashboardUse Extension that are made by companies that can be trusted - I always prefer to use product made by companies that are big corp as the have teams dedicated to cybersecurity so their chances of getting hacked is less.
Use Socket.dev - Before installing, let socket.dev scan their source code for malicious behaviour. It’s mainly used by enterprise to prevent supplly chain attacks, but it is useful for our use case too.
Regularly review installed extensions - If you haven’t used any installed extension in last 30days, remove it.
Use different browser for different use cases - Use separate browser for personal and professional work.
📝📝My Take
I have always been following an approach of reducing attack surface. Firstly, i use different three different profiles in Edge(one for personal, one for work and one for trying out new website). I use browser for research and exploring unknown risky websites.
Secondly, i don’t use much browser extension. As of today, i have only 4 browser extension - ProtonPass, Grammarly, Google Translate, Mcafee Advisor. All 4 are from trusted companies and really big companies.
Third, i always check reviews about any browser extension i install on google and reddit.
⏳Need for feedback
If you have any suggestion or feedback about it, feel free to comment. If you leave any good suggestion, i will add that in the post too.
If you want me to learn more about this topic, comment and let me know. If we got at least 5 people interested in it, i will be happy to take a class on this topic with live demo and can deep into chrome extension forensic.
🎉🎉About the Newsletter
Our Club has 5people now which is more than my expectations. Thanks to all of you who have shown trust in something that doesn’t even have existed till yesterday.
My focus will only be on content as of now, so doesn’t matter how many people join in this club. I will continue to publish more and more high quality content until people themselves feel they are missing something.
Shall i write next post on “Free Username Checkers availiable on Github?“
Have a Good Day.
Don’t forgot to leave a comment, if you like it, comment anything positive, if you don’t like, feel free to say it’s not good and why you feel it’s not good. you can go as much brutal as you want, i don’t mind that, just give feedback.
