At DEF CON 32, SquareX’s research team delivered a shocking exposé titled Sneaky Extensions: The MV3 Escape Artists, detailing how malicious browser extensions are still bypassing Google’s latest security standard, Manifest V3 (MV3). Despite the introduction of MV3 to mitigate risks posed by extensions, the SquareX team demonstrated how these threats continue to evolve, putting both individual users and businesses at risk.
MV3’s Flawed Protection: A Window for Attackers
SquareX revealed how malicious extensions built on MV3 can steal live video streams from platforms like Google Meet and Zoom Web, without needing specific permissions. These rogue extensions also have the capacity to act on behalf of users, granting unauthorized collaborators access to private GitHub repositories. Other alarming capabilities include intercepting login events and redirecting users to malicious sites disguised as password manager logins.
Extensions are also capable of stealing cookies, browsing history, bookmarks, and download history — bypassing MV3’s so-called enhanced security features. In one particularly insidious demonstration, SquareX showed how malicious extensions could insert pop-ups into active web pages, tricking users into downloading malware through fake software update prompts.
Browser Extensions: An Ongoing Threat
Browser extensions have long been exploited by malicious actors. A Stanford University study estimates that 280 million malicious Chrome extensions were installed over the past few years. Google has struggled to contain this issue, often relying on third-party researchers to identify and report harmful extensions. Last year, Google removed 32 malicious extensions that had already been downloaded 75 million times before they were flagged.
Many of these vulnerabilities stem from the now-outdated Manifest Version 2 (MV2), which gave extensions excessive permissions and allowed scripts to be injected into web pages without users’ knowledge. MV3 was supposed to address these issues by limiting permissions and requiring more transparency, but SquareX’s research shows that it still leaves significant gaps.
Also Read: FWD Philippines Launches Groundbreaking Mind Strength Support Program to Empower Filipinos’ Mental and Financial Wellbeing
SquareX’s Groundbreaking Solution for Extension Threats
SquareX has developed a set of innovative solutions that offer a lifeline to enterprises seeking to protect their users from these hidden threats. Their Browser Detection and Response solution is designed to safeguard against attacks by implementing fine-grained policies, network request blocking, and dynamic analysis of Chrome extensions.
As part of their defense strategy, SquareX allows companies to enforce policies based on various parameters like extension permissions, user reviews, ratings, and more. It also employs machine learning to block suspicious network requests made by extensions in real-time.
“We’ve proven that without dynamic analysis and the ability for enterprises to apply stringent policies, it will not be possible to identify and block these attacks,” said Vivek Ramachandran, Founder & CEO of SquareX. “Google MV3, though well-intended, is still far from enforcing security effectively at both design and implementation phases.”
SquareX’s Browser Detection and Response (BDR) solution is currently being deployed in medium to large enterprises and has shown success in mitigating these types of browser-based threats.
About SquareX
SquareX specializes in real-time detection and mitigation of client-side web attacks. Their industry-first Browser Detection and Response (BDR) solution takes an attack-focused approach to browser security, protecting enterprise users from advanced threats like malicious QR codes, browser-in-the-browser phishing, macro-based malware, and more. SquareX helps enterprises secure remote workers, contractors, and unmanaged devices by converting regular browsers into trusted browsing sessions.
