What you need to know
- Google recently transitioned Google Chrome’s extension support from the Manifest V2 framework to V3.
- The company indicated the Manifest V3 framework provides better privacy and security for users.
- New research shows malicious browser extensions can bypass the new framework’s security measures, leaving users susceptible to phishing scams.
Extensions are essential and provide an enhanced and seamless browsing experience for users. As you may know, Google transitioned Google Chrome’s extension support from the Manifest V2 framework to the Manifest V3 framework.
The drastic change impacted many browser extensions, including uBlock Origin, potentially leaving over 30 million Chrome users susceptible to intrusive ads. Google attributed the drastic change to privacy and security concerns with the Manifest V2 framework. According to Google, the Manifest V2 framework “presents security risks by allowing unreviewed code to be executed in extensions.”
Google touts Manifest V3 as a better and safer option since it only allows an extension to execute JavaScript as part of its package, ultimately mitigating the risk. However, new research by SquareX shows some browser extensions can still circumvent the Manifest V3 framework’s security measures (via TechRadar Pro). The report further suggests that this loophole places users at risk, potentially giving bad actors access to personal and sensitive information.
According to the research team’s findings, malicious browser extensions can bypass the Manifest V3 framework’s security, granting them unauthorized access to live video streams, including Google Meet and Zoom Web. Google faced similar issues with the Manifest V2 framework, potentially influencing the transition to V3.
The malicious extensions reportedly allow bad actors to add unauthorized collaborators to private GitHub repositories. Even worse, they can be leveraged to lure unsuspecting users into phishing scams fronted as password managers. This way, the extensions access your browsing and download history, cookies, bookmarks, and more.
As you may know, security solutions like Secure Access Service Edge (SASE) or endpoint protection can’t assess browser extensions, leaving users susceptible to security risks. However, the researchers have highlighted several solutions to mitigate these issues, including fine-tuning policies that allow admins to control extension access based on reviews, ratings, extension permissions, and update history.
According to SquareX Founder & CEO Vivek Ramachandran:
“Browser extensions are a blind spot for EDR/XDR, and SWGs have no way to infer their presence. This has made browser extensions a very effective and potent technique to silently be installed and monitor enterprise users, and attackers are leveraging them to monitor communication over web calls, act on the victim’s behalf to give permissions to external parties, steal cookies and other site data and so on.”
SquareX claims the solution will block network requests by extensions in real time based on policies, machine learning insights, and heuristic analysis.
