SquareX uncovers critical flaws: How malicious extensions bypass Google’s MV3 security

At DEF CON 32, SquareX presented a critical talk, Sneaky Extensions: The MV3 Escape Artists, revealing how malicious browser extensions are evading Google’s Manifest V3 (MV3) security features. These findings pose risks to millions of users and enterprises globally.

SquareX demonstrated rogue extensions exploiting MV3 vulnerabilities, with key revelations including:

• Live video stream theft: Extensions can steal video streams from platforms like Google Meet and Zoom without special permissions.
• Unauthorised GitHub access: Extensions can add collaborators to private repositories without user consent.
• Login event redirection: Extensions can intercept login events, leading users to fake login pages.
• Cookie and history theft: Extensions still allow easy access to cookies, browsing history, bookmarks, and download history.
• Malicious pop-ups: They can display fraudulent software updates to trick users into downloading malware.

Browser extensions have long been a prime target for malicious actors. A Stanford study estimates that over 280 million malicious Chrome extensions have been installed. Google’s efforts to remove dangerous extensions, such as last year’s takedown of 32 rogue extensions installed 75 million times, reflect the magnitude of the problem.
While Manifest Version 2 (MV2) allowed excessive permissions and script injections, MV3 was designed to tighten security. However, SquareX’s research proves that MV3 fails in key areas, leaving enterprises and individual users vulnerable to attacks.

Current security solutions like EDR, SASE, SSE, and Secure Web Gateways (SWG) do not have visibility into browser extensions, providing no means to assess or block these threats. SquareX addresses this gap with innovative features, including:

• Fine-grained extension policies based on permissions, creation dates, user counts, and other parameters.
• Network request blocking for extensions using policies, heuristics, and machine learning.
• Dynamic analysis of extensions through a modified Chromium browser in SquareX’s cloud servers.

These features are part of SquareX’s Browser Detection and Response solution, already deployed by medium-to-large enterprises to prevent such attacks.

Vivek Ramachandran, Founder & CEO of SquareX, highlights the seriousness of the issue:
“Browser extensions are a blind spot for EDR/XDR, and SWGs cannot detect their presence. Attackers leverage these vulnerabilities to monitor communications, act on victims’ behalf, and steal data. Without dynamic analysis and strict policies, detecting and blocking these attacks will be impossible. While Google’s MV3 is a step in the right direction, it still falls short in enforcing robust security.”