SquareX highlights Google Chrome extension security flaws

Recent revelations from cybersecurity research firm SquareX have exposed significant vulnerabilities in Google's Manifest V3 (MV3) security framework for Chrome extensions.

Despite MV3 being Google's latest standard aimed at improving extension security, SquareX demonstrated at DEF CON 32 how malicious actors could bypass these protections, posing risks to users and businesses alike.

The presentation by SquareX's research team, entitled "Sneaky Extensions: The MV3 Escape Artists," showcased several ways in which rogue extensions exploit MV3. Key threats identified included the ability of extensions to steal live video streams from platforms like Google Meet and Zoom Web, add unauthorized collaborators to private GitHub repositories, and redirect users to phishing sites disguised as login prompts. Additionally, these extensions can surreptitiously access sensitive data such as site cookies, browsing history, bookmarks, and download history, mimicking capabilities from the older Manifest Version 2 (MV2).

Browser extensions have long been a conduit for malicious activities, with a Stanford University report estimating 280 million malicious Chrome extensions installed in recent years. Google has often relied on external experts to pin down these threats, taking action to remove them when identified, such as the case with the removal of 32 extensions in June last year that had already seen 75 million installations by that point.

The issues with MV2 predominantly arose from excessive permissions and the ability for scripts to be injected without user awareness. MV3 was intended to combat these shortcomings by enforcing stricter security measures. However, SquareX's findings suggest that these measures fall short, enabling continued exploitation. This leaves both individual users and businesses vulnerable under the MV3 framework.

Current security tools such as endpoint detection, Secure Access Service Edge (SASE), and Secure Web Gateways (SWG) are limited in their ability to monitor browser extensions, which remain largely unregulated and are not dynamically instrumented by any mature platform. This gap in security capabilities creates ample opportunities for malicious actors.

Vivek Ramachandran, Founder and CEO of SquareX, highlighted the significant risk posed by this oversight. "Browser extensions are a blind spot for EDR/XDR and SWGs have no way to infer their presence. This has made browser extensions a very effective and potent technique to silently be installed and monitor enterprise users, and attackers are leveraging them to monitor communication over web calls, act on the victim's behalf to give permissions to external parties, steal cookies and other site data and so on," he noted.

Ramachandran further pointed out the need for dynamic analysis and stringent policies to effectively counter these threats, emphasising, "Our research proves that without dynamic analysis and the ability for enterprises to apply stringent policies, it will not be possible to identify and block these attacks. Google MV3, though well intended, is still far away from enforcing security at both a design and implementation phase."

SquareX is developing solutions to address these vulnerabilities. Their Browser Detection and Response solution for medium to large enterprises includes fine-grained policy control over extension permissions, heuristic and machine learning-based network request blocking, and experimentation with dynamic extension analysis using a modified Chromium browser.

The findings from SquareX underscore the complexities involved in securing web browsers against extension-based threats. As these challenges continue, the importance of advanced detection and response tools in safeguarding digital environments is becoming increasingly apparent.