SquareX Research Highlights Malicious Browser Extensions Bypassing Google’s MV3 Security Measures

SINGAPORE, Oct. 03, 2024 —

At DEF CON 32, the SquareX research team presented findings on how malicious browser extensions are bypassing Google’s latest standard for building Chrome extensions: Manifest V3 (MV3)’s security features. This puts millions of users and businesses at risk. The team demonstrated rogue extensions built on MV3, highlighting several concerning capabilities:

  • Extensions can steal live video streams, such as those from Google Meet and Zoom Web, without requiring special permissions.
  • The rogue extensions can act on a user’s behalf to add collaborators to private GitHub repositories.
  • The extensions are capable of hooking into login events to redirect users to a page disguised as a password manager login.
  • Extensions built on MV3 can steal site cookies, browsing history, bookmarks, and download history with ease, like their MV2 counterparts.
  • The rogue extensions can add pop-ups to the active webpage, such as fake software update prompts, tricking users into downloading malware.

Browser extensions have long been a target for malicious actors, with Stanford University estimating that 280 million malicious Chrome extensions were installed in recent years. Google has faced challenges in addressing this issue, often relying on independent researchers to identify malicious extensions. In some cases, Google has had to manually remove them, such as the extensions taken down in June last year, which had been installed 75 million times by the time they were removed.

These issues stemmed from loopholes in the Chrome extension standard, Manifest Version 2 (MV2), which granted extensions excessive permissions and allowed scripts to be injected on the fly. MV3 was introduced to address these problems by tightening security, limiting permissions, and requiring extensions to declare their scripts beforehand. 

However, SquareX’s research reveals that MV3 falls short in many critical areas, demonstrating how attackers are still able to exploit minimal permissions to carry out malicious activity. This exposes both individual users and enterprises, even under the newer MV3 framework.

Current security solutions, including endpoint security, SASE/SSE, and Secure Web Gateways (SWG), lack visibility into installed browser extensions. There is currently no mature tool or platform capable of dynamically instrumenting these extensions, leaving enterprises unable to accurately assess their safety. 

SquareX is committed to the highest level of cybersecurity protection for enterprises and has built key innovative features to address this problem, including;

  • Fine-grained policies to decide which extensions to allow/block, considering parameters like extension permissions, creation date, last update, reviews, ratings, user count, and author attributes.
  • SquareX blocks network requests sent by extensions at runtime based on policies, heuristics, and machine learning insights.
  • SquareX is also experimenting with dynamic analysis of Chrome Extensions using a modified Chromium browser in its cloud server.

These features are part of SquareX’s solution, which is being deployed at medium-large enterprises and is effectively blocking these attacks.

Vivek Ramachandran, Founder & CEO of SquareX, warned about the mounting risks: “Browser extensions are a blind spot for EDR/XDR, and SWGs have no way to infer their presence. This has made browser extensions a very effective and potent technique to silently be installed and monitor enterprise users, and attackers are leveraging them to monitor communication over web calls, act on the victim’s behalf to give permissions to external parties, steal cookies and other site data and so on.” “Our research proves that without dynamic analysis and the ability for enterprises to apply stringent policies, it will not be possible to identify and block these attacks. Google MV3, though well intended, is still far away from enforcing security at both a design and implementation phase,” said Vivek Ramachandran.

About SquareX
helps organizations detect, mitigate, and threat-hunt client-side web attacks happening against their users in real time.

SquareX’s industry-first Browser Detection and Response (BDR) solution takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware, malicious extensions, and other web attacks encompassing malicious files, websites, scripts, and compromised networks.

With SquareX, enterprises can also provide contractors and remote workers with secure access to internal applications, enterprise SaaS, and convert the browsers on BYOD/ unmanaged devices into trusted browsing sessions.

Contact

Head of PR
Junice Liew
SquareX
junice@sqrx.com