Google’s Manifest V3 (MV3) security framework for Chrome extensions has serious vulnerabilities. According to recent disclosures from cybersecurity research firm SquareX.
Even though Google recently released MV3, a standard designed to improve extension security. SquareX showed at DEF CON 32 how malicious actors could still get around these safeguards, endangering consumers and companies.
Read More From Tech News
The research team at SquareX presented “Sneaky Extensions: The MV3 Escape Artists,” which demonstrated various ways, that rogue extensions take advantage of MV3. The ability of extensions to bring live video streams from websites like Zoom Web and Google Meet, add unauthorized collaborators to private GitHub repositories and send users to phishing websites masquerading as login prompts were among the major risks found. Furthermore, these extensions mimic features from the previous Manifest Version 2 (MV2) and can covertly access private information like site cookies, browsing history, bookmarks and download history.
An estimated 280 million malicious Chrome extensions have been installed in recent years, according to a Stanford University study. Malicious activities have long been carried out through browser extensions. As demonstrated by the removal of 32 extensions in June of last year—which had already received 75 million installations—Google has frequently depended on outside experts to identify these threats and take appropriate action to eliminate them.
Read More From Tech Solutions
The main causes of MV2’s problems were overly broad permissions and the potential for scripts to be injected covertly. The goal of MV3 was to address these flaws by implementing more stringent security protocols. SquareX’s findings however, indicate that these steps are insufficient, permitting ongoing exploitation. Due to this, companies and individual users alike are left exposed by the MV3 framework.
The ability of existing security tools, like endpoint detection, Secure Access Service Edge (SASE) and Secure Web Gateways (SWG), to monitor browser extensions is restricted, because they are not dynamically instrumented by any established platform and are still largely unregulated. Malicious actors can find plenty of opportunities to fill this gap in security capabilities.
The CEO and founder of SquareX, Vivek Ramachandran, emphasized the serious risk, that this oversight posed. The presence of browser extensions is a blind spot for EDR/XDR, and SWGs are unable to deduce it. Because of this, browser extensions have become a very powerful tool for surreptitiously installing and monitoring enterprise users. Attackers are using these extensions to spy on web calls, grant permissions to third parties on behalf of their victims, steal cookies and other site data, and more,” the expert said.
Ramachandran emphasized that to effectively counter these threats, dynamic analysis and strict policies are required. Our research shows that these two elements are necessary for enterprises to be able to identify and block these attacks. Even with the best of intentions, Google MV3 is still a long way from implementing security throughout the entire design process.”
SquareX Develops Advanced Browser Detection and Response Solutions to Combat Extension-Based Security Threats
SquareX is working on patches to fix these flaws. They provide fine-grained policy control over extension permissions, heuristic and machine learning-based network request blocking and dynamic extension analysis experimentation using a modified Chromium browser as part of their Browser Detection and Response solution for medium to large enterprises.
Read More From Brit News Hub
The results obtained from SquareX highlight how difficult it is to protect web browsers from threats based on extensions. The need for sophisticated detection and response tools in protecting digital environments is growing as these issues persist.
