Google Chrome extensions remain a security risk as Manifest V3 fails to prevent data theft and malware exploitation

News
By
published

Businesses should look to implement stronger browser security measures

Google Chrome
(Image credit: Monticello / Shutterstock)
  • Research shows that Manifest V3 could suffer from security issues
  • The upgraded Chromium manifest still allows malicious extensions
  • Some security tools struggle to identify dangerous extensions

Browser extensions have long been a convenient tool for users, enhancing productivity and streamlining tasks. However, they have also become a prime target for malicious actors looking to exploit vulnerabilities, targeting both individual users and enterprises.

Despite efforts to enhance security, many of these extensions have found ways to exploit loopholes in Google’s latest extension framework, Manifest V3 (MV3).

Recent research by SquareX has revealed how these rogue extensions can still bypass key security measures, exposing millions of users to risks such as data theft, malware, and unauthorized access to sensitive information.

Browser extensions now pose greater threats

Google has always struggled with the issues of extensions in Chrome. In June 2023, the company had to manually remove 32 exploitable extensions that were installed 72 million times before they were taken down.

Google’s previous extension framework, Manifest Version 2 (MV2), was notoriously problematic. It often granted excessive permissions to extensions and allowed scripts to be injected without user awareness, making it easier for attackers to steal data, access sensitive information, and introduce malware.

In response, Google introduced Manifest V3, which aimed to tighten security by limiting permissions and requiring extensions to declare their scripts in advance. While MV3 was expected to resolve the vulnerabilities present in MV2, SquareX’s research shows that it falls short in critical areas.

Malicious extensions built on MV3 can still bypass security features and steal live video streams from collaboration platforms like Google Meet and Zoom Web without needing special permissions. They can also add unauthorized collaborators to private GitHub repositories, and even redirect users to phishing pages disguised as password managers.

Furthermore, these malicious extensions can access browsing history, cookies, bookmarks, and download history, in a similar way to their MV2 counterparts, by inserting a fake software update pop-up that tricks users into downloading the malware.

Once the malicious extension is installed, individuals and enterprises cannot detect the activities of these extensions, leaving them exposed. Security solutions like endpoint protection, Secure Access Service Edge (SASE), and Secure Web Gateways (SWG) cannot dynamically assess browser extensions for potential risks.

To address these challenges, SquareX has developed several solutions aimed at improving browser extension security. Their approach includes fine-tuned policies that allow administrators to decide which extensions to block or permit based on factors such as extension permissions, update history, reviews, and user ratings.

This solution can block network requests made by extensions in real-time, based on policies, machine learning insights, and heuristic analysis. Additionally, SquareX is experimenting with dynamic analysis of Chrome extensions using a modified Chromium browser on its cloud server, providing deeper insights into the behavior of potentially harmful extensions.

“Browser extensions are a blind spot for EDR/XDR and SWGs have no way to infer their presence," noted Vivek Ramachandran, Founder & CEO of SquareX.

"This has made browser extensions a very effective and potent technique to silently be installed and monitor enterprise users, and attackers are leveraging them to monitor communication over web calls, act on the victim’s behalf to give permissions to external parties, steal cookies and other site data and so on.”

“Our research proves that without dynamic analysis and the ability for enterprises to apply stringent policies, it will not be possible to identify and block these attacks. Google MV3, though well intended, is still far away from enforcing security at both a design and implementation phase,” Ramachandran added.

You might also like

TOPICS
Efosa Udinmwen
Efosa Udinmwen
Freelance Journalist

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com

Read more
HTTPS in a browser address bar
Malicious "polymorphic" Chrome extensions can mimic other tools to trick victims
chrome firefox extensions
Google Chrome extensions hit in major attack - dozens of developers affected, so be on your guard
A finger touching the google chrome icon in the Windows 10 start menu
A new Chrome browser highjacking attack could affect billions of users - here's how to fight it
Chrome icon on Android
Google Chrome extensions hack may have started much earlier than expected
A white padlock on a dark digital background.
Developers targeted by malicious Microsoft VSCode extensions
New NordLayer browser interface
‘Browsers cannot stay unprotected’ - NordLayer unveils its holistic cybersecurity-focused browser
Latest in Security
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
Nation-state threats are targeting UK AI research
Application Security Testing Concept with Digital Magnifying Glass Scanning Applications to Detect Vulnerabilities - AST - Process of Making Apps Resistant to Security Threats - 3D Illustration
Google bug bounty payments hit nearly $12 million in 2024
Scam alert
A new SMS energy scam is using Elon Musk’s face to steal your money
Representational image of a cybercriminal
Criminals are spreading malware disguised as DeepSeek AI
AMD logo
Security flaw means AMD Zen CPUs can be "jailbroken"
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
Latest in News
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
Nation-state threats are targeting UK AI research
iOS 18 Control Center
iOS 19: the 3 biggest rumors so far, and what I want to see
Doom: The Dark Ages
Doom: The Dark Ages' director confirms DLC is in the works and says the game won't end the way 2016's Doom begins: 'If we took it all the way to that point, then that would mean that we couldn't tell any more medieval stories'
DVDs in a pile
Warner Bros is replacing some DVDs that ‘rot’ and become unwatchable – but there’s a big catch that undermines the value of physical media
A costumed Matt Murdock smiles at someone off-camera in Netflix's Daredevil TV show
Daredevil: Born Again is Disney+'s biggest series of 2025 so far, but another Marvel TV show has performed even better
Application Security Testing Concept with Digital Magnifying Glass Scanning Applications to Detect Vulnerabilities - AST - Process of Making Apps Resistant to Security Threats - 3D Illustration
Google bug bounty payments hit nearly $12 million in 2024
More about security
Scam alert

A new SMS energy scam is using Elon Musk’s face to steal your money
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.

Nation-state threats are targeting UK AI research
Cowabunga, dude!

Teenage Mutant Ninja Turtles: Shredder’s Revenge, a nostalgic beat-em-up with beautiful pixel graphics, is finally coming to mobile next month
See more latest
Most Popular
Cowabunga, dude!
Teenage Mutant Ninja Turtles: Shredder’s Revenge, a nostalgic beat-em-up with beautiful pixel graphics, is finally coming to mobile next month
Empirical Health biomarkers
This new health protocol combines 40 smartwatch biomarkers and blood tests to give you a health score
LG C5 OLED T V with forest road and car on screen
LG reveals US pricing for the LG G5 and LG C5 OLED TVs, and it's great news for OLED fans
Scam alert
A new SMS energy scam is using Elon Musk’s face to steal your money
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
Nation-state threats are targeting UK AI research
Doom: The Dark Ages
Doom: The Dark Ages' director confirms DLC is in the works and says the game won't end the way 2016's Doom begins: 'If we took it all the way to that point, then that would mean that we couldn't tell any more medieval stories'
iOS 18 Control Center
iOS 19: the 3 biggest rumors so far, and what I want to see
Application Security Testing Concept with Digital Magnifying Glass Scanning Applications to Detect Vulnerabilities - AST - Process of Making Apps Resistant to Security Threats - 3D Illustration
Google bug bounty payments hit nearly $12 million in 2024
The Fluance Ri71 speaker in a wood finish, in front of a plant
Fluance's new active stereo speakers look like a dream soundbar alternative, as well as being perfect for turntables or Bluetooth music
DVDs in a pile
Warner Bros is replacing some DVDs that ‘rot’ and become unwatchable – but there’s a big catch that undermines the value of physical media