Millions of Enterprises at Risk: SquareX Shows How Malicious Extensions Bypass Google’s MV3 Restrictions

At DEF CON 32, the SquareX research team delivered a hard-hitting presentation titled Sneaky Extensions: The MV3 Escape Artists where they shared their findings on how malicious browser extensions are bypassing Google’s latest standard for building chrome extensions: Manifest V3 (MV3)’s security features, putting millions of users and businesses at risk.

SquareX’s research team publicly demonstrated rogue extensions built on MV3. The key findings include:

• Extensions can steal live video streams, such as those from Google Meet and Zoom Web, without requiring special permissions.
• The rogue extensions can act on a user’s behalf to add collaborators to private GitHub repositories.
• The extensions are capable of hooking into login events to redirect users to a page disguised as a password manager login.
• Extensions built on MV3 can steal site cookies, browsing history, bookmarks, and download history with ease, like their MV2 counterparts.
• The rogue extensions can add pop-ups to the active webpage, such as fake software update prompts, tricking users into downloading malware.

Browser extensions have long been a target for malicious actors — a Stanford University report estimates that 280 million malicious Chrome extensions were installed in recent years. Google has struggled to address this issue, often relying on independent researchers to identify malicious extensions. In some cases, Google has had to manually remove them, such as the 32 extensions taken down in June last year. By the time they were removed, these extensions had already been installed 75 million times.

- Advertisement -

Most of these issues arose because the Chrome extension standard, Manifest Version 2 (MV2), was riddled with loopholes that granted extensions excessive permissions, and allowed scripts to be injected on the fly, often without users’ knowledge. This allowed malicious actors to easily exploit these vulnerabilities to steal data, inject malware, and access sensitive information. MV3 was introduced to address these problems by tightening security, limiting permissions, and requiring extensions to declare their scripts beforehand. 

However, SquareX’s research shows that MV3 falls short in many critical areas, demonstrating how attackers are still able to exploit minimal permissions to carry out malicious activity. Both individual users and enterprises are exposed, even under the newer MV3 framework.

Today’s security solutions, such as endpoint security, SASE/SSE, and Secure Web Gateways (SWG), lack visibility into installed browser extensions. There is currently no mature tool or platform capable of dynamically instrumenting these extensions, leaving enterprises without the ability to accurately assess whether an extension is safe or malicious. 

SquareX is committed to the highest level of cybersecurity protection for enterprises and has built key innovative features to solve this problem, which include;

• Fine grained policies to decide which extensions to allow / block and parameters include extension permissions, creation date, last update, reviews, ratings, user count, author attributes etc
• SquareX blocks network requests sent by extensions at run time – based on policies, heuristics and machine learning insights
• SquareX is also experimenting with dynamic analysis of Chrome Extensions using a modified Chromium browser in its cloud server

These are part of SquareX’s Browser Detection and Response solution which is being deployed at medium-large enterprises and is effectively blocking these attacks.

Vivek Ramachandran, Founder & CEO of SquareX, warned about the mounting risks: “Browser extensions are a blind spot for EDR/XDR and SWGs have no way to infer their presence. This has made browser extensions a very effective and potent technique to silently be installed and monitor enterprise users, and attackers are leveraging them to monitor communication over web calls, act on the victim’s behalf to give permissions to external parties, steal cookies and other site data and so on.” “Our research proves that without dynamic analysis and the ability for enterprises to apply stringent policies, it will not be possible to identify and block these attacks. Google MV3, though well intended, is still far away from enforcing security at both a design and implementation phase,” said Vivek Ramachandran.

About SquareX

SquareX helps organizations detect, mitigate and threat-hunt client-side web attacks happening against their users in real time.

SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware, malicious extensions and other web attacks encompassing malicious files, websites, scripts, and compromised networks.

With SquareX, enterprises can also provide contractors and remote workers with secure access to internal applications, enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions.

Contact

Head of PR
Junice Liew
SquareX
junice@sqrx.com