SquareX Released “Year of Browser Bugs” (YOBB) to Expose Critical Security Blind Spots

Groundbreaking initiative reveals browser vulnerabilities in understudied yet critical attack surface

SquareX, a pioneer in Browser Detection and Response (BDR) space, announced the launch of the “Year of Browser Bugs” (YOBB) project today, a year-long initiative to draw attention to the lack of security research and rigor in what remains one of the most understudied attack vectors – the browser.

The browser has evolved from a simple web rendering engine to be the new “endpoint” — the primary gateway through which users interact with the Internet, for work, leisure, and transactions. Yet, traditional security solutions continue to focus on endpoints and networks despite the exponential growth of browser-native attacks.

The YOBB project was inspired by Month of Bugs (MOB), an iconic cybersecurity initiative where security researchers would publish one major vulnerability found in major software providers every day of the month. MOB projects played a huge role in improving the gravity at which security and responsible disclosure are taken in these companies. Notable projects included the Month of Browser Bugs (July 2006), Month of Kernel Bugs (November 2006), and Month of Apple Bugs (January 2007). SquareX is bringing back this tradition with the YOBB to raise awareness of cyberthreats that the browser is vulnerable to. However, unlike H. D. Moore’s original Month of Browser Bugs which focused on software bugs in the browser itself, SquareX will be disclosing application layer attacks that can be delivered through any website, app, or cloud data storage accessed through the browser. 

Throughout 2025, SquareX’s research team will disclose at least one critical web attack per month as part of the YOBB project, focusing on vulnerabilities that exploit architectural limitations of the browser and incumbent solutions. The research will reveal never-seen-before attack vectors that remain unknown even to the cybersecurity community. Each disclosure will include attack video demonstrations, technical breakdowns, and mitigation strategies. These disclosures will be wholly SquareX-researched and discovered, rather than an aggregation of existing security research. 

Under the YOBB initiative, SquareX has already made major releases since 2024 and into the first two months of 2025:

2025

• January: SquareX Discloses “Browser Syncjacking”, a New Attack Technique that Provides Full Browser and Device Control, Putting Millions at Risk
• February: SquareX Unveils Polymorphic Extensions that Morph Infostealers into Any Browser Extension – Password Managers, Wallets at Risk

2024

• August: SquareX Uncovers Critical Flaw in Secure Web Gateways
• December: Cyberhaven’s OAuth Identity Attack — Are your Extensions Affected?

Quoting Vivek Ramachandran, the Founder and CEO of SquareX, “As browsers become the new endpoint, attackers are increasingly targeting employees to break into organizations and exfiltrate data, just like the Cyberhaven incident. Unfortunately, beyond mainstream media attention, there is little done by vendors from a security perspective to prevent similar exploits from happening in the future. The YOBB is our attempt to draw attention to an attack surface that is exponentially growing. We hope that this will serve as a call to action for browser and security vendors to solve these vulnerabilities that give rise to application layer attacks that simply cannot be solved through browser patches.”

As the year progresses, security teams can expect monthly disclosures to be documented at https://sqrx.com/research.

About SquareX

SquareX’s industry-first Browser Detection and Response (BDR) helps organizations detect, mitigate and threat-hunt client-side web attacks targeting employees in real time. This includes defending against identity attacks, malicious extensions, spearphishing, browser data loss, and insider threats. 

SquareX takes a research and attack-focused approach to browser security. SquareX’s dedicated research team was the first to discover and disclose multiple pivotal attacks, including Last Mile Reassembly Attacks, Polymorphic Extension,s, and Browser Syncjacking. As part of the Year of Browser Bugs (YOBB) project, SquareX commits to continue disclosing at least one major architectural browser vulnerability every month.  

To learn more about SquareX’s BDR, users can contact founder@sqrx.com. For press inquiries on this disclosure on the Year of Browser Bugs, users can contact junice@sqrx.com.