“Cookie-Bite” attack: How Chrome extensions can hijack site logins
Posted on
by
Joshua Long
Though popular, Web browsers extensions are not necessarily safe. Just like any software you might install on your computer, they can contain malicious code designed to do evil things. The latest demonstration of extensions’ potential harm comes in the form of a proof-of-concept (PoC) malware attack. Security researchers have developed “Cookie-Bite,” which exhibits how Chrome extensions can surreptitiously hijack session tokens.
In plain English, that means that bad guys can log into almost any site as if they were you. And all they have to do is trick you into installing a seemingly harmless browser extension. Or, if they’ve gained access to your computer, they can install the malicious extension without you knowing about it.
Let’s explain how the Cookie-Bite attack concept works—and why you might want to avoid installing extensions in general.
How the Cookie-Bite PoC attack works
Generally speaking, whenever you log into a site, you have to enter your username and password. You might even have to go through an additional step, for two-factor authentication (2FA, aka two-step verification or 2SV). After that, your browser creates a “session cookie”—a text file containing coded information that keeps you logged into the site. If a threat actor steals that cookie and puts it on their own computer, they’ll usually be instantly logged in as you—bypassing the need to have your username, password, and 2FA method.
The researchers who developed Cookie-Bite limited its scope to stealing Microsoft cookies used for authentication. But, they point out, it could just as easily be redesigned to steal cookies related to Google or any number of other sites—presumably including Apple services like iCloud.
Cookie-Bite monitors whenever the victim visits Microsoft login pages. As soon as the browser saves the cookies, the extension exfiltrates them to the attacker. It does so by submitting a Google Form in the background—entirely without the user’s knowledge or consent.
When the researchers uploaded their proof-of-concept extension to VirusTotal, none of its more than 60 antivirus engines detected the extension as malicious.
Although the extension was designed to work with Google Chrome, it would presumably work in most of today’s Mac, Windows, and Linux browsers. Chrome is the most popular desktop browser in the world, with a roughly 66% market share. Microsoft Edge—which is also based on Chromium, the open-source version of Chrome—is number two, with a 13% market share. These and other Chromium-based browsers support extensions from Google’s Chrome Web Store.
Avoid extensions whenever possible
In the past, we’ve reported pretty extensively about why it’s crucial to avoid installing browser extensions.
A couple years ago, we noted on the Intego Mac Podcast that dozens of extensions in the Chrome Web Store contained unwanted and undisclosed search-hijacking code. These extensions had been installed 87 million times before Google finally removed them from the store.
Even good extensions can turn bad. Developers often lose interest in working on a project; many threat actors posing as legitimate developers swoop in and offer money to take over abandoned projects.
On top of that, overtly malicious extensions have also made their way into the Chrome Web Store. As just one example, in March 2023 we wrote about a fake ChatGPT extension that hijacked Facebook accounts. It used a method similar to the Cookie-Bite PoC, but this “FakeGPT” was actual, in-the-wild malware.
And malware isn’t the only concern. Just this past August, we wrote about how 40,000 extensions—with 500 million users—contained at least one known vulnerability. This accounted for almost one-third of all extensions in the Chrome Web Store at the time.
My recommendation is to avoid using any extensions at all—unless you’re absolutely sure you can trust the developer.
Advertisement and tracker blockers are among the most popular extensions. The only ad-blocking extension that I both trust and personally use is uBlock Origin by Raymond Hill. Wladimir Palant’s Adblock Plus is fine, too; both developers understand browser security well. Better yet, you can use a browser with built-in ad blocking, such as Brave, a privacy-focused, Chromium-based browser; see our comparison of desktop browser privacy.
How can I learn more?
We discussed Cookie-Bite in episode 393 of the Intego Mac Podcast:
Additionally, in August we previously covered other reasons why browser extensions are a security nightmare.
Chrome extensions are a security nightmare; here’s why you should avoid them
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security, and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
