8 Harmful Firefox Add-ons Harvest OAuth Tokens, Passwords, and Spy on Users

As browser extensions become an integral part of our daily web experience, new research highlights a concerning surge in malicious add-ons targeting Firefox users.

In recent findings, security analysts have identified at least eight Firefox extensions masquerading as gaming apps or productivity tools that are actively spying on users, harvesting credentials, and rerouting web traffic for profit.

OAuth Tokens, Passwords, and Stealthy Surveillance

Among the most dangerous is the “CalSyncMaster” extension, posing as a benign calendar sync tool. Once installed, CalSyncMaster exploits OAuth authentication flows to steal Google access tokens quietly.

By intercepting the redirect URL after users log into their Google accounts, the extension extracts the access token and transmits it to a remote command-and-control server.

This grants attackers ongoing, stealthy access to sensitive calendar data information, invaluable for orchestrating social engineering attacks or even corporate espionage.

Worse, the extension’s design allows for rapid escalation; with a minor update, it could demand broader permissions, enabling attackers to manipulate events or delete user data.

Other extensions, such as “VPN – Grab a Proxy – Free,” claim to enhance privacy but do the opposite. This add-on silently injects invisible tracking iframes into every web page viewed and coerces the browser into routing all traffic through attacker-controlled proxies.

These proxies can log user activity, intercept credentials, and even downgrade HTTPS connections, allowing for seamless man-in-the-middle attacks.

Familiar Faces, Dangerous Code

Malicious actors are leveraging the popularity of classic online games to bypass user suspicion. Extensions such as “1v1.LOL,” “Krunker io Game,” “Five Nights at Freddy’s,” and “Little Alchemy 2” don’t deliver the gameplay they promise.

Instead, upon installation, they redirect users to fraudulent virus alerts and scam-laden betting websites, sometimes designed to mimic Apple system warnings in an attempt to extort personal information or money.

Affiliate hijacking schemes are also rampant. The “GimmeGimme” add-on claims to enhance shopping with wishlist features, but in reality, it redirects user sessions through affiliate links to siphon commissions, impacting legitimate cashback and loyalty programs.

Protecting Yourself

Security experts advise users to audit their installed browser extensions regularly and remain wary of those requesting broad permissions, especially “access to all websites.”

Organizations should deploy extension allow-lists and monitor for unauthorized proxy configurations or suspicious network activity.

These campaigns underscore a sobering truth: trusted browser extensions can be the weakest link in your online security.

With attackers now blending social engineering and technical sophistication, vigilance is more crucial than ever in defending personal data and online privacy.

Indicators of Compromise:

• Malicious domains: funformathgame[.]com, polar-shore-05125-b49ae913d73c[.]herokuapp[.]com
• Dangerous extensions: CalSyncMaster, VPN – Grab a Proxy – Free, GimmeGimme, 1v1.LOL, Krunker io Game, Five Nights at Freddy’s, Little Alchemy 2, Bubble Spinner

Stay alert, audit often, and don’t let your favorite add-ons open the door to cybercrime.