Blog
Research, findings, and updates on browser extension security.
The Word 'Toad' Gave Any Website Full Control of Chrome's Most Popular VPN
Urban VPN's Chrome extension accepted commands from any website via postMessage with no origin validation. Any page could disconnect your VPN, reroute your traffic, disable security features, and more - silently, with zero user interaction.
The AI Chat Scraping Extension Wall of Shame
We compiled a list of extensions we found scraping AI chats from users or with infrastructure to do so, with none or minimal disclosure.
Spin AI vs Am I Being Pwned - What the Data Says
We ran 2.5k Chrome extensions through Spin AI's free scanner. Urban VPN and Stylish scored as low risk. uBlock Origin scored as medium risk.
We open-sourced PGP Tools - a browser extension that does PGP properly
We published an open-source PGP browser extension built on Rust/WebAssembly. Private keys stay in WASM memory, passkey unlock via WebAuthn PRF, and the full source is on GitHub.
Am I Being Pwned founder added to Belgium's CCB Wall of Fame
James Arnott, founder of Am I Being Pwned, has been recognised on the Centre for Cybersecurity Belgium's Wall of Fame for responsibly disclosing vulnerabilities through their Coordinated Vulnerability Disclosure Program.
MultiPassword CVSS 8.3 - A password manager that could leak passwords
MultiPassword, a password manager trusted by over 1 million users worldwide, leaked usernames, passwords, URLs and Time-based One Time Passcodes (TOTP) with a low skill attack, in specific but very co
Stylish is Back, Back again!
Stylish, a chrome extension with over 2 million users got called out in 2018 exfiltrating every URL you go to, caught by Robert Heaton in this blog post. He also made a follow up when it came back her