(MENAFN- The Arabian Post)

A newly disclosed vulnerability allows threat actors to surreptitiously install arbitrary extensions on Chromium-based browsers within Windows domain environments, circumventing typical user alerts and security checks. The technique hinges on manipulating how Chrome and its derivatives store extension settings and validations in preference files.

Security researchers demonstrated that by editing specific preference files in a user's profile, an attacker can mark a malicious extension as a“component” extension-a category normally reserved for built-in browser modules and hidden from extension management pages. The manipulated extension gains persistence without triggering the usual warnings to the user.

Such an exploit becomes especially dangerous in enterprise settings where browsers are domain-joined and administrators expect protection from unauthorised extensions. Traditional safeguards, such as group policy restrictions or application whitelisting, may not detect the change since no registry modification, signature tampering, or elevated privileges are needed.

The attack leverages the internal classification system within Chromium's architecture, where each extension is tagged with a“location” type that determines its visibility and privileges. By reassigning a malicious extension to kComponent, adversaries make it invisible to users, since component extensions are typically hidden from the extensions UI and trusted implicitly.

While the researchers did not rely on a zero-day exploit, their method exploits the logic behind how preference files are parsed and how extension classification is processed. They emphasised that the modification requires only low privileges in the user space, avoiding detection by many endpoint security tools.

Cybersecurity firms flagged the issue as emblematic of a“blind spot” in Chromium's security model: even well-maintained systems may be vulnerable when internal settings are manipulated. One firm described it as enabling“persistent, invisible compromise” of user sessions without tangible signs of tampering.

See also ChatGPT Usage Swings to Female Majority, Young Adults Lead

This flaw sits alongside other active threats targeting browser extension ecosystems. One campaign across Latin America used phishing lures to install malicious extensions on Chrome, Edge, and Brave, harvesting credentials and banking tokens across more than 700 users. The scheme operated via a multi-stage chain, from script delivery to extension forcing through policy manipulation.

Another wave of attacks involved sleeper extensions quietly embedded in Chrome and Edge for months, only to activate malicious behavior later via updates-redirecting browsing sessions, exfiltrating URLs, and manipulating web traffic. These campaigns affected millions of users and reflect a broader trend in weaponising browser extensions as vectors of espionage and intrusion.

Adding to the complexity, security researchers identified dozens of legitimate extensions on Web Stores that had inadvertently embedded hard-coded API secrets, telemetry endpoints transmitting data over unencrypted channels, or insecure handling of user tokens. Through these flaws, attackers could escalate an otherwise minor compromise into a full session hijack.

Browser developers and enterprise defenders face a tough balance: restricting extensions too aggressively can break functionality, while overly permissive policies allow subtle manipulation of local configuration files. Some firms now recommend validating preference file integrity, enabling file-system monitoring around user profile directories, and applying stricter cryptographic protections for extension metadata.

In response to these threats, instrumentation at tiered levels-file integrity checks, behaviour monitoring of extension APIs, and anomaly detection in browser traffic-has become essential. Some security platforms are adapting to detect extensions that behave as component modules without being formally recognised.

Notice an issue? Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com . We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.

MENAFN12102025000152002308ID1110184328