Malicious Chrome Extensions Skate Past Google's Updated Security
Google's Manifest V3 offers better privacy and security controls for browser extensions than the previous M2, but too many lax permissions and gaps remain.
October 7, 2024
Malicious browser extensions are bypassing Google's latest security and privacy standard for Chrome extensions, and they are finding their way into the Chrome Web Store — putting organizations and individuals at considerable risk.
That's according to researchers at Singapore-based SquareX, who recently demonstrated how bad actors could sneak harmful browser add-ons past the protections in Google's latest Manifest V3 update for Chrome extensions.
Malicious Chrome Extensions Are a Continuing Problem
In a presentation at DefCon 32, the researchers showed how such extensions could steal live video feeds from platforms like Google Meet and Zoom without requiring any special permissions. They then demonstrated how attackers could use extensions based on the Manifest V3 standard to redirect users to credential-stealing pages, add collaborators to private GitHub repos, and steal site cookies, browsing history, and other user data relatively easily.
Google introduced Manifest V3 in 2018 to address issues in the previous Manifest V2 standard, which more easily allowed bad actors to craft Chrome extensions with a range of malicious capabilities. A study by researchers at Stanford University concluded that there were a staggering 280 million installs of such malicious Chrome extensions between July 2020 and February 2023.
As Google explains it, Manifest V3 is part of a broader effort by the company to "improve the privacy, security, and performance of extensions." Improvements in Manifest V3 include a stricter content security policy, updated and more secure APIs, more granular permission control for users, and changes to how extensions can make cross-origin requests. Some of the updates, like one that changes how Chrome handles content-blocking extensions, have been controversial. Privacy advocates and makers of ad-blocking extensions have described the feature as drastically curtailing the ability for Chrome users to block ads and tracking mechanisms. But overall, the goal with Manifest V3 is improved security and privacy controls around Chrome extensions.
The ground reality is somewhat different, says Vivek Ramachandran, CEO and founder of SquareX. "[Manifest V3's] permission model remains too broad, allowing malicious actors to exploit minimal permissions to steal data," he says.
Overly Broad Permissions for Manifest V3?
A key example is host permissions that allow an extension to modify or read any Web content on visited pages. "SquareX demonstrated a Google Meet stream-stealing extension that only required host permission," Ramachandran says. "This type of permission is very common in the extension store. In fact, many extensions, like grammar checkers, rely on it."
Ramachandran estimates there are already hundreds if not thousands of malicious browser extensions based on Manifest V3 that are already in the Chrome Web Store. He expects that number to increase dramatically as more extensions cut over to Manifest V3.
"Google needs to enforce stricter security controls in MV3," Ramachandran says. "They should collaborate with the Web and security community to develop a more robust permission model that is less broad. Additionally, Google should improve the vetting process for extensions and introduce tools to monitor real-time behavior."
Google did not immediately respond to a Dark Reading request for comment on SquareX's research. But the Internet giant previously has conceded that with more than 250,000 browser extensions in Chrome Web Store, there are chances some extensions could pose risks to users and sometimes request permissions that might violate a company's policies.
"As with any software, extensions can also introduce risk," Google said in a blog post shortly after the Stanford researchers released their paper on risky extensions in the Chrome Web Store.
Boosting Chrome Ecosystem Security
In that blog post and in previous updates, like this one in April 2023, Google has highlighted its efforts to bolster security around Chrome extensions. These include browser extension management capabilities that security teams can use to view and set policies for all installed extensions in their environment, and the ability to review extensions before users can install them.
Chrome security features also include one that alerts admins when a user might install a new browser extension, to make tracking and management easier. And last year, Google introduced two risk assessment tools — CRXcavator and Spin.AI Risk Assessment — that give enterprise admins a way to assess and score extensions for risk.
Google also points to its Chrome extensions page (chrome://extensions/) as a resource that individuals can use to see if their installed extensions pose a security risk; a warning panel appears on the page if Google detects any installed extensions as being suspicious. That definition includes: browsers suspected of containing malware; browsers that violate Chrome Web Store polices; unpublished — and therefore no longer supported extensions; and extensions that are not explicit about their privacy and data-collection practices.
Google had set a deadline of this past June for browser extension makers to migrate to Manifest V3 and has noted that it would also begin disabling Manifest V2 extensions in its pre-stable versions of Chrome at that time. The company has given enterprise organizations until June 2025 to migrate Manifest V2 extensions to the new version. As of Oct. 4, 60.4% of all Chrome browser extension have migrated to Manifest V3.
Ramachandran says enterprises should audit installed extensions and limit their permissions. His advice is that organizations also enable better visibility and control over extensions in the environment. Think of browsers like Chrome as complex platforms, much like operating systems, he suggests.
"Extensions run as internal applications, but endpoint security tools only have visibility at the process level," Ramachandran says. "They cannot assess or control what browser extensions are doing internally."
About the Author
You May Also Like