Chromium-based browsers, including Chrome, Edge, and Brave, manage installed extensions via JSON preference files stored under %AppData%\Google\User Data\Default\Preferences (for domain-joined machines) or Secure Preferences (for standalone systems). 

Synacktiv research indicates that by directly altering these files, attackers can make the browser load any extensions without the user’s consent or involvement from the Chrome Web Store.

A successful compromise involves three technical prerequisites: pre-calculating the extension ID, generating valid Message Authentication Codes (MACs) for both the extension entry and the developer_mode flag, and bypassing enterprise policy controls. 

Extension IDs are deterministically derived from the extension’s public key or installation path via a SHA-256 hash truncated to 32 hex characters and mapped to a custom alphabet (a–p). 

Chromium’s integrity checks use an HMAC seeded with a static value extracted from resources.pak specifically resource file 146 to sign critical JSON keys. 

Attackers reverse this HMAC algorithm to compute valid MACs for extensions.settings.<crx_id> and extensions.developer_mode, enabling silent registration of their backdoor extension.

Enterprise environments

Enterprise environments commonly deploy GPOs to whitelist or blacklist extensions through policies like ExtensionInstallAllowlist and ExtensionInstallBlocklist. Three advanced evasion methods undermine these controls:
Share
Project URL
https://secarena.com
Client
Mr Maykay
Release Date
20th August 2025