Tuesday, December 10, 2024

Google Chrome Manifest V3 Fails to Stop Data Theft, Putting Users and Businesses at Risk

Share

- Advertisement -

Google’s efforts to improve Chrome extension security with its latest framework, Manifest V3 (MV3), have not fully resolved the persistent security risks of malicious browser extensions.

Despite MV3’s promise of enhanced protections, recent research by cybersecurity firm SquareX reveals that malicious Chrome extensions continue to exploit loopholes in the upgraded framework, leading to data theft, malware attacks, and unauthorized access to sensitive data.

These findings raise concerns for users and enterprises, underscoring the need for stronger browser security practices.

Manifest V3 Security Issues Expose Users to Cyber Threats

Browser extensions serve a convenient function for millions of users worldwide, but they have become an increasingly popular target for cybercriminals.

Google’s Manifest V2 (MV2) framework was often criticized for allowing excessive permissions, making it easier for attackers to exploit users.

While MV3 was designed to tighten control over permissions and scripts, researchers have discovered that MV3 still permits certain malicious activities that can compromise user data and enterprise security.

- Advertisement -

According to SquareX, extensions built on MV3 can access live video streams on platforms like Google Meet and Zoom, adding unauthorized collaborators to private GitHub repositories without requiring specific user permissions.

Additionally, these rogue extensions can redirect users to phishing sites posing as password managers, risking sensitive login details and other personal information.

Persistent Risks for Business and Enterprise Users

Despite Google’s efforts to strengthen extension security, enterprise users are at greater risk than ever. In June 2023 alone, Google had to manually remove 32 harmful Chrome extensions with a collective 72 million downloads, demonstrating the scope of the threat.

Malicious actors continue to exploit browser vulnerabilities, often without user detection, making it challenging for businesses to safeguard data and internal systems effectively.

These rogue extensions can track browsing history, cookies, bookmarks, and download data by posing as legitimate software updates.

Security tools like Endpoint Detection and Response (EDR), Secure Access Service Edge (SASE), and Secure Web Gateways (SWG) currently struggle to detect malicious browser extensions dynamically, leaving critical data vulnerable to unauthorized access.

- Advertisement -

Dynamic Solutions to Strengthen Chrome Extension Security

In response to the ongoing security challenges of MV3, SquareX has developed new solutions that provide enterprises with advanced options for managing browser extension security.

SquareX’s system incorporates fine-tuned policies, allowing administrators to block or allow extensions based on permissions, update history, reviews, and user ratings.

Additionally, SquareX employs machine learning and heuristic analysis to block risky network requests made by extensions in real time.

To identify potentially dangerous extensions, the company is also experimenting with a modified version of Chromium on cloud servers, allowing for deeper behavioral analysis of Chrome extensions.

Vivek Ramachandran, SquareX’s CEO and Founder, highlights the need for dynamic extension analysis, noting that existing EDR/XDR tools cannot effectively detect the presence or behavior of malicious extensions.

“Browser extensions are a blind spot,” Ramachandran explains, emphasizing how attackers exploit this oversight to monitor user communications, steal cookies, and perform unauthorized actions on behalf of users.

- Advertisement -

SquareX’s research indicates that without the capability for dynamic analysis and stringent enterprise policies, it remains challenging to identify and block such threats.

Ramachandran underscores that while MV3 reflects Google’s intentions to improve security, its current design and implementation fall short of offering complete protection.

- Advertisement -
Emily Parker
Emily Parker
Emily Parker is a seasoned tech consultant with a proven track record of delivering innovative solutions to clients across various industries. With a deep understanding of emerging technologies and their practical applications, Emily excels in guiding businesses through digital transformation initiatives. Her expertise lies in leveraging data analytics, cloud computing, and cybersecurity to optimize processes, drive efficiency, and enhance overall business performance. Known for her strategic vision and collaborative approach, Emily works closely with stakeholders to identify opportunities and implement tailored solutions that meet the unique needs of each organization. As a trusted advisor, she is committed to staying ahead of industry trends and empowering clients to embrace technological advancements for sustainable growth.

Read More

Trending Now