TDK
March 17, 2026, 9:54pm
1
Why is brave still unwilling to look or prioritize this massive security issue?
Yesterday “Save as type” extension got caught running shady code.
opened 05:40AM - 04 Dec 19 UTC
security
sec-low
feature/extensions
priority/P5
# Brave Software staff comment (by @bsclifton)
Similar to how we do not offer w… ays in the UI to [disable auto-updates for the browser itself](https://github.com/brave/brave-browser/issues/5576), we at Brave Software do NOT recommend turning off extension auto-updates.
Because we do not recommend disabling auto-updates
- we don't offer a user interface in Brave for disabling them
- it's a low priority for us to add a user interface for disabling them
**NOTE: For those unfamiliar with Brave issue triage, the `priority/P5` assignment on an issue specifically means that we do not currently have plans to work on that issue**.
This issue is left open to share work-arounds and so that folks can provide feedback.
## Work-arounds
These are not recommended - but are provided for reference.
1. You can edit the shortcut / way you launch Brave to include a command line parameter, like so:
`--component-updater=url-source=https://127.0.0.1/extensions`
2. You can use the hosts file (ex; `/etc/hosts` or `C:\Windows\System32\drivers\etc\hosts`) to block the component and extension update URL. You would add an entry like this:
`127.0.0.1 go-updater.brave.com`
# Original issue description (by @smartfonreddit)
As the Chrome extension store became popular, bad actors begun taking advantage of if by purchasing popular extensions then injecting them with malware. The bad actor updates the extension to add the malware, then pushes it to unsuspecting users. A web search will reveal many such instances.
As an extension user, getting malware is as simple as launching Brave. Brave downloads the latest infected version of the extension automatically.
The user has no tools to defend against this. Google does not vet extensions usually until it's too late. Only the basic malware gets caught by Google's extension scanner, not enough.
If the user had a way to at least delay the installation of extension updates, it would allow the security researches, including Google, to detect and remove the malicious extension before it's downloaded by the user. (personal experience)
## Steps to Reproduce
1. Launch Brave.
2. Brave automatically downloads the infected extension update.
## Actual result:
Passwords and other data are stolen. Web search will reveal many such instances. For example, Amazon and other famous websites' passwords were stolen last year. Infected updates can install a keylogger, inject ads, inject remote code, steal browsing URLs etc.
## Expected result:
An option to disable the automatic extension updates, or at least to delay them by a considerable time. Press a button to update extensions, or to see if updates are available. A similar feature exists in another browser and it has been proven to be useful.
## Brave version (brave://version info)
all
## Miscellaneous Information:
Brave could become the first Chromium-based browser to have this feature. It's in-line with the privacy-first mission and can be a great "marketing" point.
Thank You.
**Some examples:**
https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/
https://www.ghacks.net/2017/07/31/chrome-extension-copyfish-hijacked-remove-now/
https://www.bleepingcomputer.com/news/security/chrome-extension-with-100-000-users-caught-pushing-cryptocurrency-miner/
https://www.reddit.com/r/chrome/comments/7ibl97/the_dec_7_2017_version_of_text_link_extension/
https://www.bleepingcomputer.com/news/security/first-malicious-chrome-extensions-detected-using-session-replay-scripts/
https://www.bleepingcomputer.com/news/security/over-500-000-users-impacted-by-four-malicious-chrome-extensions/
https://www.reddit.com/r/firefox/comments/8jcubq/is_it_ok_for_addon_with_47k_users_to_inject/
https://www.reddit.com/r/firefox/comments/87a21e/hello_just_noticed_a_new_style_of_ads_when_using/
https://www.bleepingcomputer.com/news/security/chrome-extensions-android-and-ios-apps-caught-collecting-browsing-data/
https://www.reddit.com/r/chrome/comments/9d52q7/someone_hijacked_mega_chrome_extension_to_steal/
https://www.reddit.com/r/phishing/comments/9b315f/youtube_video_downloader_firefox_addon_injecting/
https://www.bleepingcomputer.com/news/security/mozilla-removes-23-firefox-add-ons-that-snooped-on-users/
https://www.hackread.com/android-apps-chrome-extensions-collect-facebook-data/
and more
Seemingly out of nowhere, the “Save image as Type” Chrome extension was marked for removal, with Google warning users that...
Est. reading time: 2 minutes
Description of the issue:
Extensions seem to be autoupdating, which would allow a compromised extension to issue a malicious update that would be automatically downloaded, potentially violating privacy/security.
How can this issue be reproduced?
Install any extension;
Do nothing;
Wait for extension to autoupdate.
Expected result:
Doing nothing should not result in extension being automatically updated. Or at least there should be a way to disable that and a button for manually updating ext…
TDK
March 22, 2026, 2:01am
2
bump up … come on brave. what’s your hold up on this?
This is something I’d like as well. Not all updates are good (bugs, or shady updates as mentioned), and sometimes we wish to delay our updates for full vetting.
Whether extensions are “good” or “bad” — undeniably — extensions that may at one time have been “good” do go bad.
This is an old link. While the date is 6 years ago, the message remains valid today:
Here’s another story about a different extension that went “bad”:
I've been using a chrome extension to automatically switch to new tabs I open for about 8 years (ever since Chrome removed that option for some reason). Logged in today, found that new tabs were not popping to the front, and found that my extension...
12 points | 9 comments — u/greyshard
Both these links tell the same story: an extension that initially behaved well was sold to a malevolent purchaser.
Firefox gives users control (as an option) over if / when to update installed extensions. I’m unaware of any chromium-based browser offering this option — which is what this thread is about.
Bottom line: be very cautious about installing / using extensions.
My experience: in addition to my password manager, I have only 3 active extensions installed.
TDK
March 24, 2026, 4:29am
5
@hmazuji let’s keep this thread alive since yours got automatically closed.
289wk
March 24, 2026, 6:06am
6
The following extension is no longer available at the Chrome Web Store:https://chromewebstore.google.com/detail/kdenlnncndfnhkognokgfpabgkgehodd/error ’
That extension was a source of trouble, reported here at the Brave Community:Google Chrome Update message keeps popping up ’Google Chrome Update message keeps popping up - #15 by HeisDeisk ’
The trouble: The extension itself did not reveal malware when scanned, but the extension [somehow] downloaded a process/script that caused the following fraudulent pop-up to be displayed:
I had an iOS app go bad - the owner sold it, and the buyer converted it to connect to some osbscure websites ← I learned, when the app misbehaved (it had been reliable for 7 years).
And recently, I had a Chrome Web Store extension suddenly go bad, producing a pop-up similar to the fraudulent pop-up mentioned herein.
GitHub member ‘chewybone’ is correct:https://github.com/brave/brave-browser/issues/7200#issuecomment-3787902813 ’
This world of auto updating is a double edged sword. Certainly there needs to be a way to disable auto updates of extensions added as a feature.
At the moment there is a substantial issue around malware and browser extensions.
Read More link . That link has caused issues when shared on this forum but if the moderators remove the link search for information about shady panda.
Note to moderators please just edit the message and remove link if it is a problem as more people need to know about the situation.
TDK
April 13, 2026, 4:27am
8
i think this is finally getting traction. hurray.
TDK
April 17, 2026, 5:16am
9
we are a few steps away https://github.com/brave/brave-core/pull/35301#issuecomment-4235023416
I believe that we would expect the feature to be added in June’s release based on the release schedule:
Brave browser for Android, iOS, Linux, macOS, Windows. - brave/brave-browser
Good news.
IMHO, offering this through a user-edited flag is probably prudent. Being honest: most folks will ignore this — perhaps to their regret, but that’s another story.
My one-and-only concern: user-edited flags come and go; I’d like this flag (and being able to edit it) to be permanent.
TDK
April 18, 2026, 11:27pm
11
Agreed. it was a cheap way to get this implemented. but happy it finally made it after the pressure was mounting on them.
via link. That link has caused issues when shared on this forum but if the moderators remove the link search for information about shady panda.