add-ons

2022

• Hijacking webcams with Screencastify May 23
• Adobe Acrobat hollowing out same-origin policy April 19
• Party time: Injecting code into Teleparty extension March 14
• Skype extension: All functionality broken? Still exploitable! March 1

2021

• Yes, fun browser extensions can have vulnerabilities too! December 20
• Abusing Keepa Price Tracker to track users on Amazon pages October 5
• Breaking Custom Cursor to p0wn the web September 28
• Data exfiltration in Keepa Price Tracker August 2
• Having fun with CSS injection in a browser extension June 28
• Universal XSS in Ninja Cookie extension May 4
• Print Friendly & PDF: Full compromise April 13

2020

• A grim outlook on the future of browser add-ons August 31

2019

• State of the art protection in Chrome Web Store September 9

2016

• Safari extension format (.safariextz) explained August 17

2014

• “Unloading” frame scripts in restartless extensions November 19
• Extension security and add-on stores February 25