Hindsight

Hindsight v2025.03 Released!

Hindsight v2025.03 focuses on Extensions - parsing more activity and state records, highlighting Extension permissions, and making it easier to examine Manifests.

Ryan Benson

2 min read

Background

I've been following some of the news related to attacks involving browser extensions and read some great write-ups about what happened and how. I'd encourage everyone to read the post by John Tuckner (of Secure Annex) about the Cyberhaven Extension compromise:

Cyberhaven Extension Compromise
How the Cyberhaven extension was compromised and what it means for your organization.
Secure AnnexJohn Tuckner

One of the things that's been on my radar for a long time was adding more parsing of Extension-related databases to Hindsight, and this seemed like a timely excuse!

New "Extension Data" Section

Hindsight can now part eight more databases related to Extension activity (they all use LevelDB and share a similar format). They are:

  • Extension Rules
  • Extension Scripts
  • Extension State
  • Local App Settings
  • Local Extension Settings
  • Managed Extension Settings
  • Sync App Settings
  • Sync Extension Settings

As these records are different than other "Storage" ones, I decided to put them in a new Extension Data output section. There aren't any explicit timestamps associated with records (although plenty of timestamps are present inside the unstructured Value fields). I have some ideas on plugins and additional parsing, but that will need to wait for a subsequent release. For now, I think simply surfacing this data is a good place to start.

New "Extension Data" Tab in XLSX Output
New "Extension Data" Tab in XLSX Output

Another, more minor, change in this version is to the Installed Extensions section of the output - I've added Permissions and Manifest columns. The Manifest column is the extension's entire manifest.json file, as lots of different parts of it are relevant for analysis, depending on the question being asked. I pulled out the Permissions section from the manifest into its own column to highlight it, as I think it's particular important. I also think it's useful to be able to quickly scan down the list of installed extensions and see what permissions each has, in case something jumps out as a bit unusual.

Updated "Installed Extensions" Tab, with Permissions and Manifest Columns
Updated "Installed Extensions" Tab, with Permissions and Manifest Columns

Get Hindsight!

You can get Hindsight, view the code, and see the full change log on GitHub. Both the command line and web UI versions of this release are available as:

  • compiled exes attached to the GitHub release or in the dist/ folder
  • .py versions are available by pip install pyhindsight or downloading/cloning the GitHub repo.