Colin Cowie

Automating browser extension analysis to hunt for data abuse and malware

In 2019 Google launched the Developer Data Protection Reward Program Rules: “a bounty program to identify and mitigate data abuse issues in popular Android applications, Chrome extensions, and applications leveraging the Google API”.

This talk will cover the tooling and analytic process I leveraged to successful report over 50 browser extensions impacting 19,000,000+ users

Traditional threat hunting techniques such pivoting on network infrastructure, code overlap and C2 information disclosure was performed against the chrome browser extension ecosystem.

Technologies features in this presentation: Yara, mitmproxy, Python Selenium, Chrome webdriver, Python Flask and others!

Colin Cowie is a Threat Intelligence Analyst in the Sophos Managed Threat Response (MTR) team focusing on detecting emerging threats, threat actor identification, and incident response.

In past roles he has worked in the financial sector performing internal and external penetration testing.