Malicious browser extensions have once again become a focal point of concern as they continue to bypass Google’s latest security and privacy standard for Chrome extensions, posing a significant risk to organizations and individuals alike.
A recent study conducted by researchers at Singapore-based SquareX shed light on how bad actors are exploiting vulnerabilities in Google’s Manifest V3 update for Chrome extensions. At DefCon 32, the researchers demonstrated how these malicious extensions can steal live video feeds from popular platforms like Google Meet and Zoom without requiring any special permissions. Additionally, they showcased how attackers can leverage extensions based on Manifest V3 to redirect users to credential-stealing pages, gain unauthorized access to private GitHub repositories, and extract sensitive user data such as site cookies and browsing history with alarming ease.
Google introduced Manifest V3 in 2018 as a response to the issues prevalent in the previous Manifest V2 standard, which inadvertently enabled malicious actors to create Chrome extensions with a wide array of harmful capabilities. A study conducted by researchers at Stanford University revealed a staggering 280 million installations of malicious Chrome extensions between July 2020 and February 2023, underscoring the magnitude of the threat posed by these malicious plugins.
While Google touts Manifest V3 as a mechanism to bolster the privacy, security, and performance of extensions, SquareX’s CEO and founder, Vivek Ramachandran, believes that the permission model adopted in Manifest V3 remains excessively broad, providing malicious actors with the leeway to exploit minimal permissions to steal data. Ramachandran expressed concern over the prevalence of hundreds, if not thousands, of malicious browser extensions based on Manifest V3 already present in the Chrome Web Store, with the likelihood of this number escalating as more extensions transition to the new standard.
In response to these growing concerns, Ramachandran emphasized the need for Google to collaborate with the broader web and security community to fortify the security controls in Manifest V3. He advocated for the development of a more robust permission model with narrower parameters, while also suggesting improvements to the extension vetting process and the introduction of real-time behavior monitoring tools.
Google, however, has yet to address SquareX’s research findings directly. In previous statements, the tech giant acknowledged the inherent risks associated with browser extensions in the Chrome Web Store, highlighting the potential for extensions to introduce vulnerabilities and breach security protocols.
In an effort to mitigate these risks, Google has implemented several security features aimed at enhancing the safety of Chrome extensions. These include browser extension management capabilities for security teams, alert mechanisms to notify admins of potential risks associated with new extensions, and risk assessment tools such as CRXcavator and Spin.AI Risk Assessment to evaluate extension security.
Google’s phased migration plan to transition browser extension makers to Manifest V3 underscores the company’s commitment to enforcing enhanced security measures. While the transition deadline passed in June, Google continues to disable Manifest V2 extensions in pre-stable versions of Chrome, providing enterprise organizations until June 2025 to migrate existing extensions to the updated standard.
Ramachandran stressed the importance of auditing installed extensions, limiting their permissions, and enhancing visibility and control over extension activity within organizational environments. He likened browsers like Chrome to complex platforms akin to operating systems, urging enterprises to adopt a proactive stance in managing extension security to thwart potential threats.
As the landscape of browser security continues to evolve, the onus is on both developers and users to remain vigilant against the persistent threat posed by malicious browser extensions. Collaborative efforts between tech companies, security experts, and end-users are crucial in safeguarding digital ecosystems against exploitation and data breaches.