threats · downloads · extensions

Extension download access: risks beyond “saving a file”

Summarize with ChatGPT

Some extensions ask to manage or monitor your downloads. That sounds harmless for a download manager—but the same APIs can start downloads without a normal click, read names and URLs of everything you save, open files, or erase history entries to hide tracks. This article explains those capabilities, ties them to large-scale extension abuse reporting, and suggests mitigations.

Download access in one minute

When you save a PDF or installer, Chrome records a download item: source URL, suggested filename, path on disk (when available to the browser), MIME type, and state (in progress, complete, dangerous flag from Safe Browsing, etc.).

With the downloads permission, an extension can use chrome.downloads to search that history, listen for new downloads, start downloads programmatically, open a saved file, or remove the browser’s record of a transfer. None of that requires the extension to show you a faithful copy of what it is doing.

Reported scale (with sources)

Public research rarely labels victims as “download-permission only”—attackers bundle permissions. The figures below anchor extension-borne delivery at real-world scale; download APIs are one lever in a broader toolbox (network, scripting, cookies).

  • 4.3M

    Users reported touched by a seven-year malicious-extension campaign (ShadyPanda)

    Coverage of Koi’s findings described long-trusted extensions later pushing harmful updates, remote script retrieval, and broad surveillance—illustrating how browser-level trust can turn into execution and data access. See The Register.

  • 300K

    Users attributed to one cluster of five extensions with a backdoor update (same reporting)

    The same article summarized a subset of extensions that allegedly infected on the order of three hundred thousand users after a malicious update—again highlighting post-install update risk, which can include new download or filesystem-adjacent behavior in the browser. Source: The Register.

What the downloads permission usually enables

  • Programmatic downloads — start a save from any URL the extension can reach, optionally setting filename or save location (within browser rules), which can plant droppers or decoy documents.
  • Search and enumerate — query past and current downloads by URL, filename, time range, or danger type—useful for “clean up” tools and for profiling what software or documents you fetch.
  • Event listeners — react the moment a download starts, completes, or is flagged—enabling real-time exfiltration of metadata or chained actions.
  • Open a downloaded file — launch the OS handler for an item (where permitted), which can nudge you to run a malicious installer you thought was benign.
  • Erase download history entries — remove rows from Chrome’s download list to reduce visibility after dropping a file (the file may still exist on disk).

Full API surface: chrome.downloads. Permission declaration: declare permissions.

Risk outcomes (plain language)

  • Silent or misleading saves

    An extension can trigger downloads that look like “updates” or invoices while you are busy elsewhere in the browser.

  • Metadata tells a story

    URLs and filenames expose which installers, contracts, or medical portals you fetched—even if you never opened the file.

  • Helping malware after the bytes land

    Opening a downloaded payload or clearing the download row speeds execution and slows your investigation.

  • Chained with network and scripts

    Download APIs rarely appear alone; combined with host access and page scripts, attackers can correlate “what you clicked” with “what you saved.”

How this fits real incidents

  • Supply-chain style extension updates — Reporting on ShadyPanda emphasized trusted extensions that later pushed harmful capabilities across large user bases—see The Register. Download APIs are one path an updated extension might abuse alongside network and script access.
  • User expectation gaps — Legitimate download managers and antivirus helpers need these hooks; unrelated “themes” or games usually do not—treat unnecessary download permission as a red flag.

What actually helps

  • Match permission to product. If the extension is not clearly a download or security tool, question why it needs download access.
  • Review Chrome’s download list after odd behavior; cross-check unknown files with your security team or AV before opening.
  • Prefer OS-level scanning for untrusted binaries rather than random “download booster” extensions.
  • Enterprise: allowlist extensions; alert on new downloads permission in updates.
  • Keep Enhanced Safe Browsing (where appropriate) so risky downloads get an extra layer beyond the extension’s opinion.

Related reading: malware guide, extension permissions, how to analyze an extension.

Sources for figures and APIs

Related extension guides

These topics often show up together in real extensions and abuse reporting—reading them as a set makes it easier to judge combined risk.

Browse all extension power guides

Spot risky extensions earlier

eSafe helps you reason about what is installed in the browser—use it with least privilege on download-related prompts and healthy skepticism toward vague “utility” add-ons.

Add to ChromeExtensions & networkExtensions & scriptsExtension permissionsHome