Google Chrome extensions remain a security risk as Manifest V3 fails to prevent data theft and malware exploitation
- Research shows that Manifest V3 could suffer from security issues
- The upgraded Chromium manifest still allows malicious extensions
- Some security tools struggle to identify dangerous extensions
Browser extensions have long been a convenient tool for users, enhancing productivity and streamlining tasks. However, they have also become a prime target for malicious actors looking to exploit vulnerabilities, targeting both individual users and enterprises.
Despite efforts to enhance security, many of these extensions have found ways to exploit loopholes in Google’s latest extension framework, Manifest V3 (MV3).
Recent research by SquareX has revealed how these rogue extensions can still bypass key security measures, exposing millions of users to risks such as data theft, malware, and unauthorized access to sensitive information.
Browser extensions now pose greater threats
Google has always struggled with the issues of extensions in Chrome. In June 2023, the company had to manually remove 32 exploitable extensions that were installed 72 million times before they were taken down.
Google’s previous extension framework, Manifest Version 2 (MV2), was notoriously problematic. It often granted excessive permissions to extensions and allowed scripts to be injected without user awareness, making it easier for attackers to steal data, access sensitive information, and introduce malware.
In response, Google introduced Manifest V3, which aimed to tighten security by limiting permissions and requiring extensions to declare their scripts in advance. While MV3 was expected to resolve the vulnerabilities present in MV2, SquareX’s research shows that it falls short in critical areas.
Malicious extensions built on MV3 can still bypass security features and steal live video streams from collaboration platforms like Google Meet and Zoom Web without needing special permissions. They can also add unauthorized collaborators to private GitHub repositories, and even redirect users to phishing pages disguised as password managers.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Furthermore, these malicious extensions can access browsing history, cookies, bookmarks, and download history, in a similar way to their MV2 counterparts, by inserting a fake software update pop-up that tricks users into downloading the malware.
Once the malicious extension is installed, individuals and enterprises cannot detect the activities of these extensions, leaving them exposed. Security solutions like endpoint protection, Secure Access Service Edge (SASE), and Secure Web Gateways (SWG) cannot dynamically assess browser extensions for potential risks.
To address these challenges, SquareX has developed several solutions aimed at improving browser extension security. Their approach includes fine-tuned policies that allow administrators to decide which extensions to block or permit based on factors such as extension permissions, update history, reviews, and user ratings.
This solution can block network requests made by extensions in real-time, based on policies, machine learning insights, and heuristic analysis. Additionally, SquareX is experimenting with dynamic analysis of Chrome extensions using a modified Chromium browser on its cloud server, providing deeper insights into the behavior of potentially harmful extensions.
“Browser extensions are a blind spot for EDR/XDR and SWGs have no way to infer their presence,” noted Vivek Ramachandran, Founder & CEO of SquareX.
“This has made browser extensions a very effective and potent technique to silently be installed and monitor enterprise users, and attackers are leveraging them to monitor communication over web calls, act on the victim’s behalf to give permissions to external parties, steal cookies and other site data and so on.”
“Our research proves that without dynamic analysis and the ability for enterprises to apply stringent policies, it will not be possible to identify and block these attacks. Google MV3, though well intended, is still far away from enforcing security at both a design and implementation phase,” Ramachandran added.
You might also like
Research shows that Manifest V3 could suffer from security issues The upgraded Chromium manifest still allows malicious extensions Some security tools struggle to identify dangerous extensions Browser extensions have long been a convenient tool for users, enhancing productivity and streamlining tasks. However, they have also become a prime target for…
Recent Posts
- “It’s actually quite difficult to build a really good generative AI application” – Amazon CEO outlines its AI vision, and challenges
- In-memory processing using Python promises faster and more efficient computing by skipping the CPU
- Microsoft accuses FTC of leaking news of its antitrust investigation
- What happened to Intel?
- Amazon announces its own set of Nova AI models
Archives
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- September 2018
- October 2017
- December 2011