Jump to content
  • "Browser extensions are a blind spot for EDR/XDR, and SWGs have no way to infer their presence": Google Chrome's new Manifest V3 framework, touted as private and secure, might be a breeding ground for phishing scams


    Karlston

    • 190 views
    • 3 minutes
     Share


    • 190 views
    • 3 minutes

    Google Chrome's Manifest V3 framework poses a major security threat.

    What you need to know

    • Google recently transitioned Google Chrome's extension support from the Manifest V2 framework to V3.
    • The company indicated the Manifest V3 framework provides better privacy and security for users.
    • New research shows malicious browser extensions can bypass the new framework's security measures, leaving users susceptible to phishing scams.

     


     

    Extensions are essential and provide an enhanced and seamless browsing experience for users. As you may know, Google transitioned Google Chrome's extension support from the Manifest V2 framework to the Manifest V3 framework.

     

    The drastic change impacted many browser extensions, including uBlock Origin, potentially leaving over 30 million Chrome users susceptible to intrusive ads. Google attributed the drastic change to privacy and security concerns with the Manifest V2 framework. According to Google, the Manifest V2 framework "presents security risks by allowing unreviewed code to be executed in extensions."

     

    Google touts Manifest V3 as a better and safer option since it only allows an extension to execute JavaScript as part of its package, ultimately mitigating the risk. However, new research by SquareX shows some browser extensions can still circumvent the Manifest V3 framework's security measures (via TechRadar Pro). The report further suggests that this loophole places users at risk, potentially giving bad actors access to personal and sensitive information.

     

    According to the research team's findings, malicious browser extensions can bypass the Manifest V3 framework's security, granting them unauthorized access to live video streams, including Google Meet and Zoom Web. Google faced similar issues with the Manifest V2 framework, potentially influencing the transition to V3.

     

    The malicious extensions reportedly allow bad actors to add unauthorized collaborators to private GitHub repositories. Even worse, they can be leveraged to lure unsuspecting users into phishing scams fronted as password managers. This way, the extensions access your browsing and download history, cookies, bookmarks, and more.

     

    As you may know, security solutions like Secure Access Service Edge (SASE) or endpoint protection can't assess browser extensions, leaving users susceptible to security risks. However, the researchers have highlighted several solutions to mitigate these issues, including fine-tuning policies that allow admins to control extension access based on reviews, ratings, extension permissions, and update history.

     

    According to SquareX Founder & CEO Vivek Ramachandran:

     

    “Browser extensions are a blind spot for EDR/XDR, and SWGs have no way to infer their presence. This has made browser extensions a very effective and potent technique to silently be installed and monitor enterprise users, and attackers are leveraging them to monitor communication over web calls, act on the victim’s behalf to give permissions to external parties, steal cookies and other site data and so on.”

    SquareX claims the solution will block network requests by extensions in real time based on policies, machine learning insights, and heuristic analysis.

     

    Source


    Hope you enjoyed this news post.

    Thank you for appreciating my time and effort posting news every day for many years.

    2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

    RIP Matrix | Farewell my friend  :sadbye:


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...