"Browser extensions are a blind spot for EDR/XDR, and SWGs have no way to infer their presence": Google Chrome's new Manifest V3 framework, touted as private and secure, might be a breeding ground for phishing scams

Google Chrome on Windows
Google Chrome on Windows (Image credit: Chris Wedel | Android Central)

What you need to know

  • Google recently transitioned Google Chrome's extension support from the Manifest V2 framework to V3.
  • The company indicated the Manifest V3 framework provides better privacy and security for users.
  • New research shows malicious browser extensions can bypass the new framework's security measures, leaving users susceptible to phishing scams.

Extensions are essential and provide an enhanced and seamless browsing experience for users. As you may know, Google transitioned Google Chrome's extension support from the Manifest V2 framework to the Manifest V3 framework.

The drastic change impacted many browser extensions, including uBlock Origin, potentially leaving over 30 million Chrome users susceptible to intrusive ads. Google attributed the drastic change to privacy and security concerns with the Manifest V2 framework. According to Google, the Manifest V2 framework "presents security risks by allowing unreviewed code to be executed in extensions."

Google touts Manifest V3 as a better and safer option since it only allows an extension to execute JavaScript as part of its package, ultimately mitigating the risk. However, new research by SquareX shows some browser extensions can still circumvent the Manifest V3 framework's security measures (via TechRadar Pro). The report further suggests that this loophole places users at risk, potentially giving bad actors access to personal and sensitive information.

According to the research team's findings, malicious browser extensions can bypass the Manifest V3 framework's security, granting them unauthorized access to live video streams, including Google Meet and Zoom Web. Google faced similar issues with the Manifest V2 framework, potentially influencing the transition to V3.

The malicious extensions reportedly allow bad actors to add unauthorized collaborators to private GitHub repositories. Even worse, they can be leveraged to lure unsuspecting users into phishing scams fronted as password managers. This way, the extensions access your browsing and download history, cookies, bookmarks, and more.

As you may know, security solutions like Secure Access Service Edge (SASE) or endpoint protection can't assess browser extensions, leaving users susceptible to security risks. However, the researchers have highlighted several solutions to mitigate these issues, including fine-tuning policies that allow admins to control extension access based on reviews, ratings, extension permissions, and update history.

According to SquareX Founder & CEO Vivek Ramachandran:

“Browser extensions are a blind spot for EDR/XDR, and SWGs have no way to infer their presence. This has made browser extensions a very effective and potent technique to silently be installed and monitor enterprise users, and attackers are leveraging them to monitor communication over web calls, act on the victim’s behalf to give permissions to external parties, steal cookies and other site data and so on.”

SquareX claims the solution will block network requests by extensions in real time based on policies, machine learning insights, and heuristic analysis.

🎃The best early Black Friday deals🦃

CATEGORIES
Kevin Okemwa
Contributor

Kevin Okemwa is a seasoned tech journalist based in Nairobi, Kenya with lots of experience covering the latest trends and developments in the industry at Windows Central. With a passion for innovation and a keen eye for detail, he has written for leading publications such as OnMSFT, MakeUseOf, and Windows Report, providing insightful analysis and breaking news on everything revolving around the Microsoft ecosystem. You'll also catch him occasionally contributing at iMore about Apple and AI. While AFK and not busy following the ever-emerging trends in tech, you can find him exploring the world or listening to music.