Infra Magician Logo
harshit.cloud Sénior SRE
Skip to content
Back to Blog
security

Access denied: when your browser extensions look like attack vectors

Tried booking a flight. Got blocked. VPN didn't help. IP was clean. Turns out Akamai thinks my 21 security extensions make me look like a hacker. They're…

3 min read
#waf#akamai#debugging#browser-extensions#cdn
Indigo Access Denied

Last week I tried booking a flight on Indigo. Access Denied. Tried MakeMyTrip. Access Denied. Ixigo? Same story. Yatra? Blocked.

My banking apps worked fine. But every travel booking site using Akamai's CDN decided I was public enemy number one. Sometimes the site would load, then the OTP API calls would silently fail. Making a complete fool out of me at checkout.

MakeMyTrip Access Denied
MakeMyTrip Access Denied

the debugging rabbit hole

First thought: bad IP from my ISP's CGNAT pool. Changed my IP. Worked for 10 minutes. Then blocked again.

Second thought: maybe Akamai's IP reputation is flagging me. Checked their Client Reputation lookup.

Akamai Clean IP Reputation
Akamai Clean IP Reputation

Nope. Clean as a whistle.

My IP Info - Tata Play, Bengaluru
My IP Info - Tata Play, Bengaluru

Google dorking time. Found tons of users globally facing the same issue. Not ISP-specific. Not India-specific. Something else was up.

Then I found this blog that pointed at browser extensions. Interesting.

the lightbulb moment

Switched from Arc to Chrome. Still blocked. Because I carried over the same 21 extensions like a digital hoarder.

My Extension Arsenal - Part 1
My Extension Arsenal - Part 1
My Extension Arsenal - Part 2
My Extension Arsenal - Part 2

Here's my toolkit: Wappalyzer, Shodan, Trufflehog, DotGit, and a bunch of OSINT/greyhat recon tools. The same extensions I use for security research were making me look like an attacker to Akamai's Bot Manager.

Turned off all extensions. Instant access to every site.

what's actually happening

Akamai's Bot Manager isn't counting your requests. It's fingerprinting the client environment. Browser extensions can inject JavaScript, mutate the DOM, alter request behavior, and add tracking parameters — all things the client-side fingerprint will flag as bot-shaped, the same way it would flag a scraper or an injection probe.

My security toolkit became my own DoS attack vector. Poetic, really.

Some users reported User-Agent changes helped. I didn't test that. I also didn't have time to debug which of the 21 extensions was the actual culprit. Life's too short for that level of troubleshooting.

the takeaway

WAF rules are aggressive by design. Your legitimate security tools look exactly like attack vectors because, well, they kind of are. The line between security researcher and threat actor is thinner than we'd like to admit.

If you're getting blocked by Akamai with a clean IP:

  1. Check your extensions first, not your ISP
  2. VPN working temporarily? That's behavioral detection, not IP blocking
  3. The Client Reputation tool won't catch extension-based triggers
  4. Your OSINT toolkit makes CDNs nervous

Infrastructure is meant to keep bad actors out. Sometimes it keeps infrastructure wizards out too. Not fun.

Comments

Loading comments...

Related posts

Lazy SRE's guide to secure systems, part 6: the network in front of everything

Ivanti made everyone re-read their VPN architecture in January 2024. Tailscale, Cloudflare Tunnel, and WireGuard in one afternoon.

Lazy SRE's guide to secure systems, part 5: the dev laptop is the perimeter

Snowflake taught everyone what happens when an infostealer runs on a contractor's personal Mac. The laptop is the perimeter.

Enjoyed this post?

Subscribe to get notified when I publish new infrastructure adventures and TILs.

Access denied: when your browser extensions look like attack vectors