The Good Tech Companies - SquareX Shows How Malicious Extensions Bypass Google’s MV3 Restrictions
Episode Date: October 3, 2024This story was originally published on HackerNoon at: https://hackernoon.com/squarex-shows-how-malicious-extensions-bypass-googles-mv3-restrictions. The MV3 Escape Artis...ts where they shared their findings on how malicious browser extensions are bypassing Google’s latest standard for building chrome extension Check more stories related to cybersecurity at: https://hackernoon.com/c/cybersecurity. You can also check exclusive content about #cybersecurity, #squarex, #cybernewswire, #press-release, #squarex-announcement, #cyberthreats, #cybercrime, #good-company, and more. This story was written by: @cybernewswire. Learn more about this writer by checking @cybernewswire's about page, and for more stories, please visit hackernoon.com.
Transcript
Discussion (0)
This audio is presented by Hacker Noon, where anyone can learn anything about any technology.
Square X shows how malicious extensions bypass Google's MV3 restrictions.
By Cyber Newswire, Singapore, Singapore, October 3, 2024, Cyber Newswire, asterisk at DEFCON32,
the Square X research team delivered a hard-hitting presentation titled Sneaky Extensions.
The MV3 escape artists where they shared their findings on how malicious browser extensions
are bypassing Google's LaTest standard for building Chrome extensions. Manifest V3,
MV3, S security features, putting millions of users and businesses at risk.
Squarex's research team publicly demonstrated rogue extensions built on MV3.
Fecky findings include. Extensions can steal live video streams,
such as those from Google Meet and Zoom Web, without requiring special permissions.
The rogue extensions can act on a user's behalf to add collaborators to private GitHub repositories.
The extensions are capable of hooking into login events to redirect users to a page
disguised as a password manager login. Extensions built on MV3 can steal site cookies, browsing
history, bookmarks, and download history with ease, like their MV2 counterparts. The rogue
extensions can add pop-ups to the active webpage, such as fake software update prompts, tricking
users into downloading malware.
Browser extensions have long been a target for malicious actors.
A Stanford University report estimates that 280 million malicious Chrome extensions were installed in recent years. Google has struggled to address this issue,
often relying on independent researchers to identify malicious extensions.
In some cases, Google has had to manually remove them,
such as the 32 extensions taken down in June last year. By the time they were removed,
these extensions had already been installed 75 million times. Most of these issues arose
because the Chrome extension standard, Manifest Version 2, MV2, was riddled with loopholes that
granted extensions excessive permissions and allowed scripts to be injected on the fly, often without users' knowledge.
This allowed malicious actors to easily exploit these vulnerabilities to steal data,
inject malware, and access sensitive information. MV3 was introduced to address these problems by
tightening security, limiting permissions, and requiring extensions to declare their scripts beforehand. However, Squarex's research shows that MV3 falls short in many critical areas,
demonstrating how attackers are still able to exploit minimal permissions to carry out
malicious activity. Both individual users and enterprises are exposed, even under the newer
MV3 framework. Today's security solutions, such as Endpoint Security,
SASE, SSE, and Secure Web Gateways, SWG, lack visibility into installed browser extensions.
There is currently no mature tool or platform capable of dynamically instrumenting these
extensions, leaving enterprises without the ability to accurately assess whether an extension
is safe or malicious. SquareX is committed to the highest level of cybersecurity protection for enterprises
and has built key innovative features to solve this problem, which include fine-grained policies
to decide which extensions to allow, block and parameters include extension permissions,
creation date, last update, reviews, ratings, user count, author attributes, etc.
SquareX blocks network requests sent by extensions at runtime, based on policies,
heuristics and machine learning insights. SquareX is also experimenting with dynamic
analysis of Chrome extensions using a modified Chromium browser in its cloud server.
These are part of SquareX's browser detection and response solution which is
being deployed at medium-large enterprises and is effectively blocking these attacks.
Greater than Vivek Ramachandran, founder and CEO of Squarex, warned about the mounting risks.
Greater than browser extensions are a blind spot for EDR, XDR and SWGs have no way to infer greater
than their presence. This has made browser extensions
a very effective and potent greater-than technique to silently be installed and monitor enterprise
users and attackers greater-than are leveraging them to monitor communication over web calls,
act on the greater-than victim's behalf to give permissions to external parties,
steal cookies and greater-than other site data and so on.
Greater-than greater-than greater-than. Our research proves that without dynamic analysis cookies and greater than other site data and so on. Greater than greater than greater than.
Our research proves that without dynamic analysis and the ability for greater than enterprises to apply stringent policies, it will not be possible to identify greater than and block these attacks.
Google MV3, though well-intended, is still far away greater than from enforcing security at
both the design and implementation phase, said Vivek Ramachandran. About Squarex,
Squarex helps organizations detect, mitigate and threat hunt client-side web attacks happening
against their users in real time. Squarex's industry-first browser detection and response
BDR solution takes an attack-focused approach to browser security, ensuring enterprise users are
protected against advanced threats like malicious
QR codes, browser-in-the-browser phishing, macro-based malware, malicious extensions,
and author web attacks encompassing malicious files, websites, scripts, and compromised networks.
With SquareX, enterprises can also provide contractors and remote workers with secure
access to internal applications, enterprise SaaS, and convert the browsers on BYOD, unmanaged devices into trusted browsing sessions.
Contact head of PR Junus Liu Squarex Junus at sqrx.com.
Tip This story was distributed as a release by Cyber Newswire under HackerNoon's business
blogging program. Learn more about the program here. And thank you for listening to this
HackerNoon story, read by Artificial Intelligence. Visit HackerNoon.com to read, write, learn and
publish.