Google Chrome extensions remain a security risk as Manifest V3 fails to prevent data theft and malware exploitation
- Research shows that Manifest V3 may suffer from security problems
- The upgraded Chromium manifest still allows malicious extensions
- Some security tools have difficulty identifying dangerous extensions
Browser extensions have long been a useful tool for users, improving productivity and streamlining tasks. However, they have also become a prime target for malicious actors looking to exploit vulnerabilities, targeting both individual users and companies.
Despite efforts to improve security, many of these extensions have found ways to exploit loopholes in Google’s latest extension framework, Manifest V3 (MV3).
Recent research from SquareX has revealed how these rogue extensions can still bypass important security measures, exposing millions of users to risks such as data theft, malware and unauthorized access to sensitive information.
Browser extensions are now a bigger threat
Google has always struggled with the problems of extensions in Chrome. In June 2023, the company had to manually remove 32 exploitable extensions, which had been installed 72 million times before being removed.
Google’s previous extension framework, Manifest Version 2 (MV2), was notoriously problematic. It often granted excessive permissions to extensions and allowed scripts to be injected without the user’s knowledge, making it easier for attackers to steal data, access sensitive information and introduce malware.
In response, Google introduced Manifest V3, which aimed to tighten security by limiting permissions and requiring extensions to pre-declare their scripts. While MV3 was expected to fix the vulnerabilities in MV2, SquareX’s research shows it falls short in critical areas.
Malicious extensions built on MV3 can still bypass security features and steal live video streams from collaboration platforms like Google Meet and Zoom Web without the need for special permissions. They can also add unauthorized contributors to private GitHub repositories and even redirect users to phishing pages disguised as password managers.
Furthermore, these malicious extensions access browsing history, cookies, bookmarks and download history, in a similar manner to their MV2 counterparts, by inserting a fake software update pop-up that tricks users into downloading the malware.
Once the malicious extension is installed, individuals and companies cannot detect the activities of these extensions, leaving them visible. Security solutions such as endpoint protection, Secure Access Service Edge (SASE), and Secure Web Gateways (SWG) cannot dynamically assess browser extensions for potential risks.
To address these challenges, SquareX has developed several solutions aimed at improving the security of browser extensions. Their approach includes refined policies that allow administrators to decide which extensions to block or allow based on factors such as extension permissions, update history, reviews, and user ratings.
This solution can block network requests from extensions in real-time, based on policy, machine learning insights, and heuristic analysis. In addition, SquareX is experimenting with dynamic analysis of Chrome extensions using a custom Chromium browser on its cloud server, providing deeper insights into the behavior of potentially malicious extensions.
“Browser extensions are a blind spot for EDR/XDR and SWGs cannot distract from their presence,” said Vivek Ramachandran, founder and CEO of SquareX.
“As a result, browser extensions have become a very effective and powerful technique to install silently and monitor business users, and attackers use them to monitor communications via web calls, act on behalf of the victim to grant permission to third parties, cookies and steal other site extensions. data and so on.”
“Our research proves that without dynamic analysis and the ability for companies to implement strict policies, it will not be possible to identify and block these attacks. While well-intentioned, Google MV3 is still a long way from enforcing security in both the design and implementation phases,” said Ramachandran.