Endpoint Security, CrowdStrike, Malicious Browser Extension Controls

Technology Services has enabled malicious browser extension controls within the CrowdStrike Falcon platform. This control automatically detects and blocks browser extensions that have been identified as malicious or high-risk, helping to protect University data and systems from a growing class of endpoint threats.

What are Malicious Browser Extensions?

Browser extensions are small software programs that add functionality to web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox. While many extensions are legitimate and useful — such as password managers, accessibility tools, or ad blockers — malicious or compromised extensions pose serious security risks.

Malicious Browser Extensions May:

  • Steal credentials and session tokens – Extensions with access to page content can capture login credentials, session cookies, and authentication tokens, enabling account takeover even when multi-factor authentication (MFA) is in use.
  • Exfiltrate sensitive data – Extensions can read and transmit the contents of any web page you visit, including forms containing research data, financial information, or personal records.
  • Hijack browser sessions – Attackers can use stolen session cookies to impersonate a user without ever knowing their password.
  • Redirect web traffic – Some extensions silently redirect search queries or inject affiliate tracking codes into links to generate fraudulent revenue.
  • Execute remote code – Sophisticated malicious extensions can receive commands from attacker-controlled servers and execute actions on your device.
  • Persist undetected – Extensions that begin as legitimate tools may become malicious after receiving a silent update, sometimes years after initial installation. This "long con" technique makes them particularly difficult to detect through normal user vigilance.

What CrowdStrike Does:

CrowdStrike Falcon Exposure Management monitors browser extensions installed on managed university endpoints across Chrome, Edge, and Firefox. When an extension is identified as malicious based on threat intelligence, permission analysis, or behavioral indicators, the Security Team enforces a policy that prevents the extension from running. Specifically, in Chrome and Edge, the extension will remain installed but is prevented from loading or executing; the extension is deleted from the Firefox browser. Note this will only affect the use of the extension on the CrowdStrike host. Users will need to manually remove the malicious extension from their profile or it will continue to install on other devices.

What Users Will See:

When CrowdStrike blocks a malicious extension, the experience varies slightly by browser:
  • Google Chrome: The extension will appear in Chrome's extension manager (`chrome://extensions`) but will be shown as disabled or blocked. Chrome may display a notification indicating that an extension has been turned off. The extension icon will be grayed out or absent from the toolbar. The extension will not load on any webpage.
  • Microsoft Edge: Similar to Chrome, the extension will appear in Edge's extension manager (`edge://extensions`) but will be inactive. Edge may display a notification that an extension has been disabled. The extension icon will be absent from the toolbar.
  • Mozilla Firefox: The extension will not be displayed in the browser. Firefox may present a notification that an extension has been removed.

Users who attempt to install or use malicious browser extensions on devices with CrowdStrike installed should receive an email encouraging them to manually remove blocked extensions from their profiles (see instructions below).

How to Manually Remove a Blocked Extension:

Even after CrowdStrike disables a malicious extension, the Security Team recommends manually removing it from your browser to ensure it cannot be re-enabled and to clean up your browser environment.
Google Chrome
  1. Open Chrome and navigate to `chrome://extensions` in the address bar, or go to **Menu (⋮) > Extensions > Manage Extensions**.
  2. Locate the blocked or disabled extension.
  3. Click **Remove**.
  4. Confirm removal when prompted.
  5. Restart Chrome.

Microsoft Edge
  1. Open Edge and navigate to `edge://extensions` in the address bar, or go to **Menu (…) > Extensions > Manage Extensions**.
  2. Locate the blocked or disabled extension.
  3. Click **Remove**.
  4. Confirm removal when prompted.
  5. Restart Edge.

Mozilla Firefox
  1. Open Firefox and navigate to `about:addons` in the address bar, or go to **Menu (☰) > Add-ons and themes**.
  2. Select the **Extensions** tab.
  3. Locate the blocked extension.
  4. Click the **three-dot menu (…)** next to the extension and select **Remove**.
  5. Restart Firefox.
Apple Safari (macOS)
  1. Open Safari and go to **Safari > Settings** (or **Preferences** on older macOS versions).
  2. Click the **Extensions** tab.
  3. Select the blocked extension in the left sidebar.
  4. Click **Uninstall**.
  5. Restart Safari.

After Removal - Recommended Follow-Up Actions:

If CrowdStrike has blocked an extension on your device, it may indicate that the extension had access to your browser sessions prior to being detected. The Security Team recommends the following:
  • Change your passwords for any accounts accessed in the affected browser, particularly university accounts (NetID), email, banking, and any services containing sensitive data.
  • Sign out of all active sessions for critical accounts (e.g., Illinois Webstore, Banner, cloud storage, research portals) to invalidate any stolen session tokens.
  • Review recently installed extensions and remove any that you do not recognize or no longer use.
  • Run a malware scan on any personal devices that you've used the browser extension on.

Frequently Asked Questions:

Will I lose any data or settings when an extension is disabled?
Disabling or removing an extension does not affect your bookmarks, saved passwords (stored in your browser or a separate password manager), or browsing history. Some extension-specific settings or data may be lost if the extension stored data locally, but this is uncommon for most extensions.

Can I re-enable a blocked extension?
Extensions blocked by CrowdStrike policy cannot be re-enabled by the user while the policy is in effect. If you believe an extension has been incorrectly flagged, contact your local IT Pro or submit a request to security@illinois.edu for review.

I use this extension for my work. What should I do?
If the blocked extension is used for a legitimate university business purpose, contact your local IT Pro and submit a request to security@illinois.edu to request a policy exception review. Exceptions are evaluated on a case-by-case basis.

How do I know which extension was blocked?
A list of all blocked extensions can be reviewed here: https://uofi.app.box.com/v/malicious-browser-extensions

Does this affect personally installed extensions on university-managed devices?
Yes. CrowdStrike monitors all extensions installed in supported browsers on managed university endpoints, regardless of whether the extension was installed by the user or an IT administrator.

Related Articles:

Who do I contact?

For extension review or policy exception requests: Please reach out to security@illinois.edu 
To report a malicious browser extension: Please reach out to security@illinois.edu 
If you think your account or your system has been compromised: https://www.cybersecurity.illinois.edu/cybersecurity/report-a-cybersecurity-incident/


Keywords:
browser extension, malicious extension, CrowdStrike, Falcon, Chrome, Edge, Firefox, Safari, blocked extension, endpoint security, malware, credential theft, session hijacking, security 
Doc ID:
150192
Owned by:
Security G. in University of Illinois Technology Services
Created:
2025-04-29
Updated:
2026-06-15
Sites:
University of Illinois System, University of Illinois Technology Services