Disabling and Removing Browser Extensions can Prevent Unwanted Security Headaches

Browser extensions can help end users add features to their browsing experience that aren’t natively included, like ad-blocking, password management, and productivity tools. This can be a production boost for developers and other professionals, but browser extensions have a dark side. Too many redundant extensions can slow performance, cause conflicts with other extensions or software, and worst of all can pose a significant security to risk. 

Extensions can be disabled and removed, helping mitigate those dreaded security risks. In this guide, we will look at how to do exactly that on the most popular browsers. Firstly, a quick dive into those security risks is appropriate. If you would like to skip the lesson and follow the disabling or removing instructions, skip to the relevant browser you work on.

The Threat of Malicious Browser Extensions

Browser extensions and the threat they pose rests largely on the permissions the user grants the extension. Once installed, extensions may request extensive permissions, granting access to sensitive data such as web traffic, saved credentials, session cookies, and clipboard content. While legitimate extensions need certain permissions to function, malicious ones exploit these privileges to harvest data, conduct phishing attacks, or gain unauthorized access to systems.

Recent analysis reveals that over half of the browser extensions in their production environments request excessive permissions, posing significant security risks. Additionally, because extensions operate within the browser and do not create separate processes, they can be challenging to detect using traditional security tools.

Methods of Exploitation by Adversaries

Cybercriminals employ various tactics to distribute malicious browser extensions:

• Deceptive Listings: Publishing extensions with names or functionalities mimicking legitimate tools to deceive users into installation.
  
• Ownership Takeover: Acquiring control of previously trustworthy extensions and pushing malicious updates to an existing user base.
  
• Sideloading: Encouraging users to install extensions from outside official web stores, bypassing standard security checks.
  

Some malicious extensions initially request minimal permissions to pass security reviews, but later escalate their privileges or download additional harmful payloads post-installation. The threat posed by browser extensions has recently been highlighted by recent improvements to the Rilide malware.

Rilide and “Man-in-Browser” Attacks

Rilide, also known as LumaC2 and CookieGenesis, is an advanced malware discovered in 2023 that targets Chromium-based browsers using malicious extensions. Unlike traditional malware that injects scripts into web pages, Rilide leverages browser extensions to gain persistent, elevated access to users’ browsers. This enables it to inject malicious code, exfiltrate sensitive data, and even manipulate two-factor authentication (2FA), particularly in cryptocurrency wallets and email platforms.

Since early 2025, security researchers identified over 50,000 Rilide infected user sessions globally, with significant activity in North and South America, Europe, and Japan. This underlines the malware’s widespread impact and evolving threat landscape.

Traditionally, “man-in-the-browser” (MitB) attacks worked by injecting scripts directly into a webpage’s memory during browsing sessions. These scripts were confined by browser security policies like same-origin rules and lost effectiveness once the page was closed. They also left detectable traces in the page environment, increasing the chance of being caught by security tools.

Modern browser extension-based attacks like Rilide bypass many of these constraints. Extensions can run independently of web pages, maintain persistent background activity, access browser-wide resources (e.g., cookies and storage), and are not bound by same-origin policy. They operate in separate execution environments:

1. Content Script Context: Interacts with the page document, but remains partially isolated.
   
2. Background Code Context: Runs as a service worker, completely isolated from both the page and content script.
   

These separate contexts communicate through controlled browser APIs, leaving little trace in the main page. This isolation makes Rilide and similar malware extremely difficult to detect using conventional page-based security measures.

Moreover, browser extensions are relatively easy to build due to powerful APIs and available permissions, allowing attackers to create complex and evasive malware with less effort. As a result, threat actors are increasingly shifting from traditional web injections to extension-based approaches.

Rilide exemplified a major evolution in browser-based threats, where extensions offer a combination of persistence, privilege, stealth, and ease of deployment. This trend marks a significant shift in cyberattack strategies and calls for heightened vigilance and advanced detection mechanisms tailored to browser extension activity.

Disabling or Removing Browser Extensions

With the reasons as to why you would want to disable or remove extensions out the way, how to actually do so can be explored.

Disabling or Removing Extensions in Chrome

1. Go to the top bar in Chrome and click on the Extensions icon (the puzzle piece icon towards the top right of the browser window). Then, click on the Manage extensions (found towards the bottom of the extensions drop down menu) option.
2. Pick an extension from the menu and click on the toggle next to it to disable it, the oval toggle button should change color from blue to light gray.
3. If you want to permanently remove the extension, click on the Remove (left of the toggle) button.
4. A popup window will appear. Click on the Remove button.

If you have Google’s sync functionality enabled in Chrome, removing an extension will remove it from all Chrome browsers running on different systems with the same Google account. You can use the Chrome web store to re-add the extension in the future.

Disabling or Removing Extensions in Edge

1. Press the Ctrl + T keys to open a new tab in Edge. Type edge://extensions/ in the address bar and press Enter to open the Extensions page.
2. You will see a complete list of installed extensions. Click on the toggle next to an active extension to disable it.
3. To remove an extension, click on the Remove option present below the extension’s description.
4. A popup window will open in the top right corner. Click on the Remove button to confirm your decision.

Disabling or Removing Extensions in Firefox

1. Navigate to the top right area and click on the Extensions icon (the puzzle piece icon towards the top right). Then click on the Manage extensions (bottom of the drop-down menu) option.
2. Go to the Enabled section and find the extension you want to disable. Then click on the toggle to disable it.
3. To remove an extension, click the icon with three dots next to the toggle switch, on the Remove option.

It should be noted, Firefox does offer an Undo option after you remove an extension. You can use it to restore an extension you removed unintentionally.