Browser extensions are widely used, yet users underestimate just how much control these pieces of software can exert over the computer that they are installed on. Many browser frameworks also have no requirement that extensions report the level of access that they require,essentially creating a black box that users must blindly trust. Browsers themselves have very few protections against rogue extensions and those that are in place can be easily bypassed. Unfortunately, client side security controls such as antivirus solutions are of little help as well, since they employ only rudimentary monitoring and detection capabilities for abusive extensions. Where does this leave the many users employing browser extensions? Very exposed. This talk will detail how malicious extensions are able to successfully evade browser protections and antivirus solutions. Firefox, Chrome and Internet Explorer browser extension frameworks will be covered, including live demonstrations and proof-of-concept exploits, which illustrate how weaknesses in the three major browsers can be exploited. Various approaches to installing rogue extensions on different browsers will also be covered, including silent external installation, hijacking or replacement of existing extensions (addition of code, hijacking the upgrade process, etc.) and bypassing administration rights. While rogue extensions have been found in the wild, this attack vector has yet to reach its full potential. Rogue browser extensions represent an emerging threat as they require limited skills to create, are largely trusted by the general public and are relatively hard to detect and remove when found to be malicious. Talks: Google Talk on BlackHat SEO, OWASP San Diego and Bay Area Tools: https://www.zscaler.com/researchtools.html BlackSheep (Firefox): detect the use of Firesheep on the same network Zscaler Safe Shopping (IE, Chrome, Firefox, Opera, Safari): blacklist of fake online stores Search Engine Security (IE, Chrome, Firefox,Fennec): protect against Blackhat SET spam and hijacked sites Zscaler Likejacking Prevention (Firefox, Chrome, Safari, Opera): detect and protect against Facebook Likejacking Paper: Google Safe Browsing v2: Implementation Notes Libraries: Net::Google::Safe Browsing2, Google Safe Browsing Lookup API for Ruby and Python Blog: http://research.zscaler.com