--- title: "Protect Chrome Extensions from Tampering | Security Cookbook" description: "Restrict writes to Chrome extension directories to Chrome itself, blocking malware from installing or modifying extensions to steal credentials." doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/cookbook/protect-chrome-extensions" --- [Back](https://northpole.security/cookbook) ### Idea Browser extensions have powerful access to web browsing activity, credentials, and user data. Malware frequently attempts to install malicious extensions or modify existing ones to steal credentials, inject ads, or monitor browsing activity. Chrome stores extensions in user-specific directories under Library/Application Support/Google/Chrome/\*/Extensions/. Each profile has its own extensions directory, and malware can target any of them. This file access rule prevents unauthorized reads and writes to Chrome extension directories, allowing only Chrome itself and necessary system processes (Spotlight indexing, XProtect scanning) to access these files. This stops malware from: - Installing new malicious extensions - Modifying existing extensions to add backdoors - Exfiltrating extension data or settings - Reading extension source code for vulnerability hunting You can configure whether to allow read access depending on your security requirements. Blocking read access provides stronger protection but may interfere with legitimate security scanning tools. ### Solutions File AccessProtect Chrome Extensions Directory Restrict Chrome extension access to Chrome and system processes Paths - • /Users/\*/Library/Application Support/Google/Chrome/\*/Extensions/ Policy ALLOWLIST Access Type write Processes - • Signing ID:EQHXZ8M8AV:com.google.Chrome\* - • Signing ID:platform:com.apple.mdworker\_shared - • Signing ID:platform:com.apple.mds - • Signing ID:platform:com.apple.mdsync - • Signing ID:platform:com.apple.XProtectFramework.plugins.\* Custom Message Chrome extensions can only be modified by Chrome ### Mitre Attack Tactics [Persistence](https://attack.mitre.org/tactics/TA0003/)[Credential Access](https://attack.mitre.org/tactics/TA0006/) Techniques [T1176: Software Extensions](https://attack.mitre.org/techniques/T1176/)[T1539: Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539/) ### Tags chromeextensionsbrowsermalware ### Deployment Notes This rule blocks write access to Chrome extension directories by default. The rule config shown allows Chrome and system processes to access extensions, while blocking everything else. You can adjust the AllowReadAccess option: - Set to true: Allows any process to read extension files (less secure, more compatible) - Set to false: Blocks reads except by allowed processes (more secure, may impact security tools) The rule covers all Chrome profiles by using the wildcard pattern in the path. Consider adding exceptions for: - Enterprise management tools that deploy extensions - Security scanning tools that analyze extensions - Backup software that needs to read extension data ### False Positive Guidance Legitimate software that may need access to Chrome extensions: - Enterprise Chrome extension deployment tools - Security software that scans extensions for malware - Backup and sync software - Development tools when building Chrome extensions If using enterprise Chrome extension management, add the management tool's signing ID to the allowlist. ### Testing Instructions 1. Try to manually copy an extension: `cp -r /path/to/extension /Users/*/Library/Application Support/Google/Chrome/Default/Extensions/` (should be blocked) 2. Install extension through Chrome Web Store (should work) 3. Verify existing extensions load properly (should work) 4. Check that Chrome can update extensions (should work) ### Detection Methods Monitor FAA events for: - Unauthorized attempts to write to Extensions/ directories - Processes other than Chrome trying to modify extensions - Repeated blocks from the same process (may indicate malware) Legitimate installation triggers: - Chrome Web Store installs go through Chrome itself (allowed) - Enterprise-pushed extensions should use proper Chrome management (may need exception) ### Resources [Santa FAA Cookbook - Chrome ExtensionsTake a look](https://northpole.dev/cookbook/faa/#chrome-extensions-directory)[MITRE ATT&CK - Software ExtensionsTake a look](https://attack.mitre.org/techniques/T1176/) ### Related Rules [ Credential ProtectionFile Access #### Protect Browser Cookies from Infostealers Restrict Chrome and Firefox cookie databases to the browser itself, blocking infostealers like Atomic Stealer from hijacking sessions. ](https://northpole.security/cookbook/protect-browser-cookies) ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)