Before the world said goodbye to 2024, it said hello to a malicious campaign targeting 2.6 million people.  The victims represented thousands of organizations.  Their identity data and cookies had been compromised in a sweeping attack campaign that exploited browser extensions.

Welcome to 2025!

So, here’s what happened. Cyberhaven, a data security company, revealed that its browser extension had been breached. Attackers injected malicious code into the extension, giving them the ability to steal Facebook cookies and authentication tokens. In simpler terms, they turned a seemingly innocuous tool into a direct pipeline for siphoning sensitive information.

The lesson here is clear: no part of your tech stack is too minor to warrant scrutiny. Whether it’s browser extensions or core applications, it’s critical to continually assess and lock down your security environment to prevent these types of threats. Anything less, and you could be the next organization scrambling to pick up the pieces, which is why you want a third-party assessment like the one that Galactic offers.

Malicious browser extensions are emerging as a potent and under-recognized attack vector, and this recent attack compromised its browser extension and injected it with malicious code to steal users’ Facebook cookies and authentication tokens.

If you think this type of breach is rare, think again. Browser extensions are often overlooked in security strategies, yet they are a growing attack vector.  Basically, they’re small tools with big risks because they offer a gateway for attackers targeting cookies, authentication tokens, and sensitive user data. This isn’t just a new risk, but the Cyberhaven attack shouldn’t be overlooked as just another headline.  Make no mistake about this.  This is a call to action.

A Growing Threat: The Alarming Statistics

While the Cyberhaven campaign was initially linked to one specific extension, further investigations revealed that over 35 browser extensions had been compromised, many still undetected at the time of disclosure. With 60% of corporate users having browser extensions installed, the scale of this vulnerability is staggering.

What makes this attack particularly dangerous is the type of data attackers are accessing through these extensions:

  • Cookies: Attackers use them for website authentication and session hijacking.
  • Passwords: Many extensions have permissions to capture plaintext passwords.
  • Web Content and Keystrokes: Extensions can monitor all user inputs, effectively functioning as keyloggers.

In this case, the exposed data opens doors to credential theft, account takeovers, and organizational breaches, risks that affect businesses long after the initial attack is mitigated.

Why Browser Extensions Are a Blind Spot

Browser extensions are often treated as harmless tools, yet many request permissions that provide broad access to sensitive user data. For example:

  • 66% of extensions have been identified as having “high” or “critical” permissions, according to recent industry data.
  • 40% of corporate users have at least one high-risk extension installed on their systems.

These permissions may include:

  • Reading or modifying cookies and authentication tokens.
  • Accessing browsing history and activity.
  • Capturing audio or video directly from user devices.

In the hands of malicious actors, this access translates into significant vulnerabilities for both individual users and corporate systems.

The Fallout for MSPs and Their Clients

Unvetted browser extensions on corporate endpoints pose a unique risk for MSPs managing IT environments. When attackers exploit these vulnerabilities, the potential consequences include:

  • Credential Theft: Direct access to user accounts and corporate systems.
  • Session Hijacking: Using stolen cookies or tokens to impersonate legitimate users.
  • Data Exfiltration: Sensitive business data extracted without detection.

This risk compounds as more employees install high-risk extensions without oversight. For MSPs, this represents not only a client security issue but also a reputational and legal liability.

A Strategic Response to Mitigate Extension Risks

MSPs must take a proactive, strategic approach to managing browser extension risks. Galactic Advisors has developed a robust framework to address this growing threat, centered on third-party risk assessments that deliver actionable insights and security improvements. Here’s how:

  1. Comprehensive Extension Audits

We provide detailed assessments to uncover all installed browser extensions across client systems. Visibility is the foundation of effective risk management.

  1. Permission Mapping and Risk Categorization

Galactic Advisors evaluates the permissions granted to each extension, categorizing them by their risk levels. This step identifies high-risk extensions (such as those targeting cookies or capturing user inputs) that require immediate action.

  1. Tailored Recommendations

We recommend clear, actionable steps based on the specific environment. Whether this means restricting certain categories of extensions or introducing stricter installation policies, Galactic’s assessments prioritize operational feasibility and security outcomes.

  1. Building a Resilient Framework

Through third-party assessments, MSPs gain a clear roadmap to implement ongoing controls. Galactic helps craft organizational policies that define acceptable use, enforce extension whitelisting, and ensure continuous monitoring.

You Can’t Afford to Wait!

Browser extension-related attacks are growing in both volume and sophistication, leaving no time to delay. For MSPs, managing this risk isn’t just about securing IT environments. It’s about safeguarding your reputation and avoiding legal and regulatory consequences.

Galactic Advisors empowers MSPs to address this challenge head-on. Our third-party risk assessments provide actionable insights, identifying vulnerabilities like risky browser extensions before they become major threats. For example, our detailed findings enable MSPs to pinpoint high-risk extensions with broad permissions, like those targeting cookies or user authentication tokens—without hours of manual effort combing through client networks.

Already a Galactic partner? Access resources now in your partner portal to see how our reports simplify extension risk management with clear, prioritized recommendations. Not yet a partner? Contact us to learn how you can gain access to tools that deliver instant clarity and enable swift action.

Secure your clients. Secure your reputation.

Take the first step: schedule a third-party risk assessment today.