Friday, November 1, 2024
HomePress ReleaseMillions of Enterprises at Risk: SquareX Shows How Malicious Extensions Bypass Google’s...

Millions of Enterprises at Risk: SquareX Shows How Malicious Extensions Bypass Google’s MV3 Restrictions

Published on

Malware protection

At DEF CON 32, the SquareX research team delivered a hard-hitting presentation titled Sneaky Extensions: The MV3 Escape Artists where they shared their findings on how malicious browser extensions are bypassing Google’s latest standard for building chrome extensions: Manifest V3 (MV3)’s security features, putting millions of users and businesses at risk.

SquareX’s research team publicly demonstrated rogue extensions built on MV3. The key findings include:

  • Extensions can steal live video streams, such as those from Google Meet and Zoom Web, without requiring special permissions.
  • The rogue extensions can act on a user’s behalf to add collaborators to private GitHub repositories.
  • The extensions are capable of hooking into login events to redirect users to a page disguised as a password manager login.
  • Extensions built on MV3 can steal site cookies, browsing history, bookmarks, and download history with ease, like their MV2 counterparts.
  • The rogue extensions can add pop-ups to the active webpage, such as fake software update prompts, tricking users into downloading malware.

Browser extensions have long been a target for malicious actors — a Stanford University report estimates that 280 million malicious Chrome extensions were installed in recent years. Google has struggled to address this issue, often relying on independent researchers to identify malicious extensions. In some cases, Google has had to manually remove them, such as the 32 extensions taken down in June last year. By the time they were removed, these extensions had already been installed 75 million times.

- Advertisement - SIEM as a Service

Most of these issues arose because the Chrome extension standard, Manifest Version 2 (MV2), was riddled with loopholes that granted extensions excessive permissions, and allowed scripts to be injected on the fly, often without users’ knowledge. This allowed malicious actors to easily exploit these vulnerabilities to steal data, inject malware, and access sensitive information. MV3 was introduced to address these problems by tightening security, limiting permissions, and requiring extensions to declare their scripts beforehand. 

However, SquareX’s research shows that MV3 falls short in many critical areas, demonstrating how attackers are still able to exploit minimal permissions to carry out malicious activity. Both individual users and enterprises are exposed, even under the newer MV3 framework.

Today’s security solutions, such as endpoint security, SASE/SSE, and Secure Web Gateways (SWG), lack visibility into installed browser extensions. There is currently no mature tool or platform capable of dynamically instrumenting these extensions, leaving enterprises without the ability to accurately assess whether an extension is safe or malicious. 

SquareX is committed to the highest level of cybersecurity protection for enterprises and has built key innovative features to solve this problem, which include;

  • Fine grained policies to decide which extensions to allow / block and parameters include extension permissions, creation date, last update, reviews, ratings, user count, author attributes etc
  • SquareX blocks network requests sent by extensions at run time – based on policies, heuristics and machine learning insights
  • SquareX is also experimenting with dynamic analysis of Chrome Extensions using a modified Chromium browser in its cloud server

These are part of SquareX’s Browser Detection and Response solution which is being deployed at medium-large enterprises and is effectively blocking these attacks.

Vivek Ramachandran, Founder & CEO of SquareX, warned about the mounting risks: “Browser extensions are a blind spot for EDR/XDR and SWGs have no way to infer their presence. This has made browser extensions a very effective and potent technique to silently be installed and monitor enterprise users, and attackers are leveraging them to monitor communication over web calls, act on the victim’s behalf to give permissions to external parties, steal cookies and other site data and so on.” “Our research proves that without dynamic analysis and the ability for enterprises to apply stringent policies, it will not be possible to identify and block these attacks. Google MV3, though well intended, is still far away from enforcing security at both a design and implementation phase,” said Vivek Ramachandran.

About SquareX

SquareX helps organizations detect, mitigate and threat-hunt client-side web attacks happening against their users in real time.

SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware, malicious extensions and other web attacks encompassing malicious files, websites, scripts, and compromised networks.

With SquareX, enterprises can also provide contractors and remote workers with secure access to internal applications, enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions.

Contact

Head of PR
Junice Liew
SquareX
junice@sqrx.com

Kaaviya
Kaaviya
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

INE Launches Initiative to Optimize Year-End Training Budgets with Enhanced Cybersecurity and Networking Programs

As the year-end approaches, it’s common for enterprises to discover they still have funds...

INE Security Launches New Training Solutions to Enhance Cyber Hygiene for SMBs

INE Security offers essential advice to protect digital assets and enhance security.As small businesses...