Malicious Chrome extensions get past Google's security precautions
Google has made the API for browser extensions in Chrome more secure. Security researchers recently demonstrated that this was clearly not enough.
(Image: rafapress/Shutterstock.com)
- Kathrin Stoll
Malicious Chrome extensions are finding their way into the Chrome Web Store – despite the improved security and privacy settings of Manifest V3, the API used to run browser extensions in Google's Chrome browser. Although the current API version has been improved in this respect compared to V2, it apparently still has too many lax permissions.
As the IT news portal Dark Reading reports, security researchers from SquareX demonstrated at the DefCon 32 hacker conference how such malicious extensions can be easily smuggled past the protective measures. They can then steal video material from conference platforms such as Google Meet or Zoom without the need for special authorizations.
The researchers also showed how such Manifest V3-based browser extensions enable attackers to steal data, browser history and session cookies, redirect users to malicious websites or add contributors to private Github repositories.
More secure than before, but not enough
Vivek Ramachandran, founder and CEO of SquareX, warns that browser extensions are a blind spot for the security technologies of Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR). Employees would install them unnoticed by security precautions. Attackers could use them to gain access to a company's internal systems and data. Without dynamic analysis and the enforcement of strict security guidelines, companies are unable to detect and block such attacks. Google's Manifesto V3 was well-intentioned, but far from providing real security.
Under Manifest V2, it was probably even easier for attackers to develop malicious Chrome extensions. However, as of August 2024 , there were apparently still more than 50,000 extensions using the old standard. The new version was particularly criticized by ad blocker providers and digital rights advocates from the Electronic Frontier Foundation. In addition to the more modern architecture, Google also put forward better security and performance as arguments in favor of V3.
(kst)