First, some chrome extensions might legitimately need this. But even if they were disallowed -
The guy had physical access to a running chrome capable of sending those cookies, and the ability to install an extension. This basically means no software policy was going to stop him.