.webp "SquareX Demonstrates Bypassing Google’s MV3 Restrictions Using Malicious Extensions")
SquareX’s research team at DEF CON 32 recently unveiled their impactful findings in a presentation titled Sneaky Extensions: The MV3 Escape Artists. Their research shed light on the alarming discovery of how malicious browser extensions are evading Google’s latest security standards for chrome extensions, Manifest V3 (MV3), posing a significant threat to millions of users and businesses worldwide.
During their presentation, SquareX’s team demonstrated how rogue extensions built on MV3 can exploit various security vulnerabilities. Some of the key findings include the ability of these extensions to steal live video streams from platforms like Google Meet and Zoom Web without requiring special permissions. Additionally, these malicious extensions can manipulate user actions, such as adding collaborators to private GitHub repositories, and intercept login events to redirect users to fake login pages disguised as password managers.
Moreover, the rogue extensions can access sensitive data like site cookies, browsing history, bookmarks, and download history with ease, similar to their MV2 counterparts. They can also generate pop-up notifications on active webpages, such as fake software updates, luring users into downloading malware unknowingly.
The issue of malicious browser extensions is not a new one, with a Stanford University report estimating that 280 million Chrome users have installed dangerous extensions in recent years. Google has grappled with addressing this ongoing problem, often relying on external researchers to identify and report malicious extensions. In some cases, Google has had to manually remove these extensions from its web store, like the 32 extensions taken down in June last year after amassing 75 million installations.
The root cause of these security breaches can be traced back to the vulnerabilities in the Chrome extension standard, Manifest Version 2 (MV2), which allowed extensions excessive permissions and the injection of scripts without user consent. The introduction of MV3 aimed to rectify these flaws by tightening security measures, limiting permissions, and mandating extensions to declare their scripts in advance.
However, SquareX’s research has revealed significant shortcomings in the MV3 framework, demonstrating how attackers can exploit minimal permissions to execute malicious activities. This poses a substantial risk to both individual users and enterprises who may fall victim to these cunning tactics.
Present-day security solutions like endpoint security, SASE/SSE, and Secure Web Gateways (SWG) lack visibility into installed browser extensions, leaving organizations vulnerable to potential threats. There is a pressing need for tools or platforms capable of dynamically assessing the safety of browser extensions in real-time to safeguard against malicious attacks effectively.
To tackle this challenge, SquareX has developed innovative features as part of its Browser Detection and Response solution. These features include fine-grained policies for allowing/blocking extensions based on various parameters, real-time blocking of network requests sent by extensions, and dynamic analysis of Chrome extensions using a modified Chromium browser in the cloud server.
Vivek Ramachandran, Founder & CEO of SquareX, emphasized the urgency of addressing the inherent risks associated with browser extensions. He warned that the current security landscape lacks the capability to detect and prevent malicious browser extension attacks effectively. Without dynamic analysis and strict policies in place, enterprises remain vulnerable to potential security breaches.
In conclusion, SquareX continues to spearhead efforts in enhancing cybersecurity protection for enterprises by offering advanced solutions to combat the rising threat of malicious browser extensions. Their commitment to detecting, mitigating, and threat-hunting client-side web attacks in real-time underscores their dedication to ensuring the safety and security of users in the evolving digital landscape.