"Google Chrome Extensions Still Pose a Security Risk as Manifest V3 Fails to Prevent Data Theft and Malware Exploitation."

Browser extensions have been a useful tool for users, enhancing their productivity and facilitating various tasks. However, they have also become an attractive target for malicious actors seeking to exploit vulnerabilities, affecting both individual users and businesses. Despite efforts to improve security, many of these extensions have found ways to exploit gaps within Google's latest extension framework, known as Manifest V3 (MV3).

Recent research has highlighted how malicious extensions can bypass key security measures, exposing millions of users to risks such as data theft, malware, and unauthorized access to sensitive information. Browser extensions have evolved into much more serious threats. Google has historically faced problems with extensions in Chrome. In June 2023, the company had to manually remove 32 vulnerable extensions that had been installed 72 million times before their removal.

The previous extension framework, Manifest Version 2 (MV2), was problematic because it granted excessive permissions to extensions and allowed script injection without user knowledge, making it easier for attackers to steal information and introduce malware. In an attempt to address these vulnerabilities, Google introduced Manifest V3, which aimed to enhance security by limiting permissions and requiring extensions to declare their scripts in advance. However, research suggests that MV3 has not effectively addressed critical areas.

Malicious extensions designed under MV3 are capable of evading security features and can steal live video streams from collaboration platforms like Google Meet and Zoom Web without requiring special permissions. They can also add unauthorized collaborators to private GitHub repositories and redirect users to phishing pages disguised as password managers. Additionally, these extensions can access browsing history, cookies, bookmarks, and download history, similar to what their predecessors did under MV2, by injecting a fake software update notice that deceives users into downloading malware.

Once a malicious extension is installed, it becomes difficult for individuals and businesses to detect the activities carried out by them, leaving them exposed. Security tools such as endpoint protection, Secure Access Service Edge (SASE), and Secure Web Gateways (SWG) cannot dynamically assess browser extensions in terms of potential risks.

To address these challenges, various solutions have been developed focusing on improving the security of browser extensions. One such proposal includes tailored policies that allow administrators to decide which extensions to block or allow based on factors such as permissions, update history, user reviews, and ratings. This solution is capable of blocking network requests made by extensions in real time, utilizing policies, machine learning trends, and heuristic analysis. Additionally, tests are being conducted with dynamic analysis of Chrome extensions using a modified Chromium browser on cloud servers, providing deeper insight into the behavior of potentially harmful extensions.

Security experts have pointed out that browser extensions represent a blind spot in many protection solutions. Without dynamic analysis and the ability to enforce strict policies, it will be impossible to identify and block these attacks. Despite the good intentions behind Google MV3, it is still far from providing the necessary security in both design and implementation phases.