Google is pushing its Manifest V3 (MV3) platform for Chrome extensions, aiming to enhance browser security. However, experts from the IT company SquareX suggest that while MV3 imposes limitations on ad blockers and other useful add-ons, it still leaves security gaps exploitable by attackers. We’ll keep you updated as this issue develops.
Limitations of Manifest V3 Security Measures
SquareX researchers argue that the transition to MV3 falls short of fully protecting users. They highlight that the platform still allows for the creation of extensions capable of accessing sensitive data and personal information without proper permissions. For instance, certain add-ons can intercept live streams on platforms like Google Meet and Zoom, gain unauthorized access to private GitHub repositories, and read users’ cookies, bookmarks, and browser history.
Further, MV3 permits malicious actors to use fake password manager windows to redirect users to phishing pages or to push malware through fake browser update prompts. The challenge in identifying these actions is heightened by the inability of real-time security solutions, such as endpoint protection, Secure Access Service Edge (SASE), and Secure Web Gateways (SWG), to monitor and evaluate potentially risky extensions.
SquareX’s Proposed Solutions to Enhance Extension Security
To address these issues, SquareX has proposed several strategies. One suggestion is to allow administrators to control which extensions can be installed by assessing their permissions, descriptions, reviews, and ratings in the Google Chrome store. SquareX emphasizes that without dynamic analysis capabilities or strict enterprise policies, detecting and blocking security threats will remain difficult. They believe Google MV3, while well-intentioned, is still lacking in terms of security at both the development and deployment stages.
Another proposed solution includes a machine-learning-based tool to block suspicious extension network requests, leveraging heuristic analysis, notes NIX Solutions. Additionally, SquareX is experimenting with a cloud-based approach for analyzing extensions using a modified Chromium browser on a remote server. This method could identify potentially harmful extensions before users install them, providing an added layer of security.
As the Manifest V3 platform continues to evolve, we’ll keep you updated on Google’s progress in addressing these security concerns.