Google’s efforts to improve Chrome extension security with its latest framework, Manifest V3 (MV3), have not fully resolved the persistent security risks of malicious browser extensions.
Despite MV3’s promise of enhanced protections, recent research by cybersecurity firm SquareX reveals that malicious Chrome extensions continue to exploit loopholes in the upgraded framework, leading to data theft, malware attacks, and unauthorized access to sensitive data.
These findings raise concerns for users and enterprises, underscoring the need for stronger browser security practices.
Manifest V3 Security Issues Expose Users to Cyber Threats
Browser extensions serve a convenient function for millions of users worldwide, but they have become an increasingly popular target for cybercriminals.
Google’s Manifest V2 (MV2) framework was often criticized for allowing excessive permissions, making it easier for attackers to exploit users.
While MV3 was designed to tighten control over permissions and scripts, researchers have discovered that MV3 still permits certain malicious activities that can compromise user data and enterprise security.
According to SquareX, extensions built on MV3 can access live video streams on platforms like Google Meet and Zoom, adding unauthorized collaborators to private GitHub repositories without requiring specific user permissions.
Additionally, these rogue extensions can redirect users to phishing sites posing as password managers, risking sensitive login details and other personal information.
Persistent Risks for Business and Enterprise Users
Despite Google’s efforts to strengthen extension security, enterprise users are at greater risk than ever. In June 2023 alone, Google had to manually remove 32 harmful Chrome extensions with a collective 72 million downloads, demonstrating the scope of the threat.
Malicious actors continue to exploit browser vulnerabilities, often without user detection, making it challenging for businesses to safeguard data and internal systems effectively.
These rogue extensions can track browsing history, cookies, bookmarks, and download data by posing as legitimate software updates.
Security tools like Endpoint Detection and Response (EDR), Secure Access Service Edge (SASE), and Secure Web Gateways (SWG) currently struggle to detect malicious browser extensions dynamically, leaving critical data vulnerable to unauthorized access.
Dynamic Solutions to Strengthen Chrome Extension Security
In response to the ongoing security challenges of MV3, SquareX has developed new solutions that provide enterprises with advanced options for managing browser extension security.
SquareX’s system incorporates fine-tuned policies, allowing administrators to block or allow extensions based on permissions, update history, reviews, and user ratings.
Additionally, SquareX employs machine learning and heuristic analysis to block risky network requests made by extensions in real time.
To identify potentially dangerous extensions, the company is also experimenting with a modified version of Chromium on cloud servers, allowing for deeper behavioral analysis of Chrome extensions.
Vivek Ramachandran, SquareX’s CEO and Founder, highlights the need for dynamic extension analysis, noting that existing EDR/XDR tools cannot effectively detect the presence or behavior of malicious extensions.
“Browser extensions are a blind spot,” Ramachandran explains, emphasizing how attackers exploit this oversight to monitor user communications, steal cookies, and perform unauthorized actions on behalf of users.
SquareX’s research indicates that without the capability for dynamic analysis and stringent enterprise policies, it remains challenging to identify and block such threats.
Ramachandran underscores that while MV3 reflects Google’s intentions to improve security, its current design and implementation fall short of offering complete protection.