Extension access to cookies: what can go wrong

Cookies in one minute

A cookie is a short piece of data a website stores in your browser. A session cookie often acts like a temporary badge: while it is valid, the site treats you as already signed in, so you are not typing your password on every click.

Websites can mark some cookies HttpOnly so normal page scripts cannot read them—this blocks many classic website hacks. Browser extensions are different: with the right permission, an extension can still reach many of those cookies through the browser’s privileged APIs. That is why extension risk is a separate problem from “malicious ads on a page.”

What an extension can actually do with cookie access

In Chromium browsers, the “cookies” permission unlocks the chrome.cookies family of calls. In practice, depending on paired host permissions, a developer can:

• List cookies for a site (for example every cookie on *.your-bank.example).
• Read values of session and preference cookies, including many marked HttpOnly for web pages.
• Change or delete cookies—log someone out, swap in another session, or break security settings.
• Listen for updates (login, logout, token refresh) and react immediately—Socket documented a 60-second timer re-checking login state in addition to live listeners.
• Ship stolen values out over the network using fetch or similar, often alongside declarativeNetRequest to alter requests without you seeing page-level JavaScript.

None of this requires guessing your password. If the session cookie still works, an attacker imports it into another browser profile and may appear as you, sometimes bypassing MFA for that session—because the site already finished the “second factor” step when you logged in.

Risk outcomes (plain language)

• Account takeover without a phishing email

  Silent export of session tokens from HR, finance, or cloud consoles while you work normally.

• Long-lived access

  If tokens keep refreshing, automated timers and cookie listeners keep the attacker synced—Socket described periodic re-extraction.

• Blocking your recovery

  Some campaigns blank admin or security pages so you cannot rotate passwords or review device sessions while theft continues.

• Supply-chain surprises

  A once-clean extension can turn malicious after an update—large historical campaigns (e.g. ShadyPanda reporting) relied on trusted install counts before pushing harmful code.

Real-world patterns (documented)

• Enterprise SaaS session theft. Coordinated Chrome extensions targeting HR/ERP platforms exfiltrated authentication cookies on a schedule, encrypted command traffic, and interfered with security UI—see Socket’s January 2026 analysis.
• Long-haul extension campaigns. Reporting on Koi’s ShadyPanda research described millions of installs, surveillance behavior, and cookie exfiltration in specific offshoots—see The Register.
• Research proof points. Public demonstrations (e.g. “Cookie-Bite”) showed extensions stealing Entra ID session cookies to illustrate MFA bypass scenarios—see BleepingComputer. These are controlled proofs but map to the same cookie mechanism criminals abuse.

What actually helps

• Fewer extensions. Remove anything you no longer need; revoke broad “read all sites” tools unless the benefit is clear.
• Read the permission bundle. Cookie access plus networking plus scripting is a different story than cookies alone on one domain.
• Prefer publisher identity you can verify (company site, support channel), not anonymous “helper” brands.
• Enterprise: allowlist extension IDs, monitor updates, and segment admin tasks to hardened profiles.
• After suspected theft: sign out everywhere the app allows, rotate credentials, review active sessions, and remove suspicious add-ons before trusting the browser again.

For a broader review checklist, see our extension permissions guide and how to analyze an extension.