Google Chrome extensions remain a security risk as Manifest V3 fails to prevent data theft and malware exploitation

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,345
  • Research shows that Manifest V3 could suffer from security issues
  • The upgraded Chromium manifest still allows malicious extensions
  • Some security tools struggle to identify dangerous extensions
Browser extensions have long been a convenient tool for users, enhancing productivity and streamlining tasks. However, they have also become a prime target for malicious actors looking to exploit vulnerabilities, targeting both individual users and enterprises.

Despite efforts to enhance security, many of these extensions have found ways to exploit loopholes in Google’s latest extension framework, Manifest V3 (MV3).

Recent research by SquareX has revealed how these rogue extensions can still bypass key security measures, exposing millions of users to risks such as data theft, malware, and unauthorized access to sensitive information.
Google has always struggled with the issues of extensions in Chrome. In June 2023, the company had to manually remove 32 exploitable extensions that were installed 72 million times before they were taken down.

Google’s previous extension framework, Manifest Version 2 (MV2), was notoriously problematic. It often granted excessive permissions to extensions and allowed scripts to be injected without user awareness, making it easier for attackers to steal data, access sensitive information, and introduce malware.

In response, Google introduced Manifest V3, which aimed to tighten security by limiting permissions and requiring extensions to declare their scripts in advance. While MV3 was expected to resolve the vulnerabilities present in MV2, SquareX’s research shows that it falls short in critical areas.

Malicious extensions built on MV3 can still bypass security features and steal live video streams from collaboration platforms like Google Meet and Zoom Web without needing special permissions. They can also add unauthorized collaborators to private GitHub repositories, and even redirect users to phishing pages disguised as password managers.

Furthermore, these malicious extensions can access browsing history, cookies, bookmarks, and download history, in a similar way to their MV2 counterparts, by inserting a fake software update pop-up that tricks users into downloading the malware.

Once the malicious extension is installed, individuals and enterprises cannot detect the activities of these extensions, leaving them exposed. Security solutions like endpoint protection, Secure Access Service Edge (SASE), and Secure Web Gateways (SWG) cannot dynamically assess browser extensions for potential risks.
 

Marko :)

Level 23
Verified
Top Poster
Well-known
Aug 12, 2015
1,292
It was never about safety. Sure, MV3 extensions are less powerful, but they can still do damage if there's malicious intent. It was about limiting the ad blockers ability.

Remember how YouTube tried so hard to beat ad blockers, but filter devs were always ahead of them and defeated their script in the matter of minutes/hours? Yeah. YouTube now won't have to try so hard, because they know exactly what ad blockers can and can't do. I'm expecting their anti-ad block script to make a comeback, but this time, it won't be so easily defeated by MV3 ad blockers. And honestly, I hope they do that because that could be the final nail in the coffin of Chromium based browsers.
 

Marko :)

Level 23
Verified
Top Poster
Well-known
Aug 12, 2015
1,292
With a 70% share ,give or take, I doubt it. I rarely watch Youtube and if I have to watch ads continuously I can easily give it up.
You have to understand that YouTube is one of the most important sites and second most visited site on the internet. Making users annoyed by the number of ads will backfire, not only for YouTube, but for Chrome as well. When people see that it functions normally on Firefox, they will switch. This is why Chrome is the most used web browser after all; Firefox used to suck and people found better alternative, which was Chrome at the time. Annoy users and they will leave.

Also, YouTube as a platform doesn't really have a real competitor. Sure, you have Odysee, Rumble and sites like it, but most of the content is still on YouTube. With both platforms see only minor growth.
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,664
Making users annoyed by the number of ads will backfire, not only for YouTube, but for Chrome as well. When people see that it functions normally on Firefox, they will switch.
I doubt it, because most users don't even look at the Chrome settings page, let alone make any changes to them, so what makes you think they actually know how, and will, uninstall Chrome and switch to Firefox? Hell, most average users don't even know what the hell Firefox is.
 
  • Like
Reactions: brambedkar59

brambedkar59

Level 32
Verified
Top Poster
Well-known
Apr 16, 2017
2,110
I doubt it, because most users don't even look at the Chrome settings page, let alone make any changes to them, so what makes you think they actually know how, and will, uninstall Chrome and switch to Firefox? Hell, most average users don't even know what the hell Firefox is.
On Android my sister is fine watching 2-3 ads every 10-15 minutes. I on the other hand can't imagine watching YT without revanced. It has features that even YT premium doesn't.
Same goes for her laptop, until few years back she was browsing without an adblocker 😱
So for avg users saying they will switch to another browser just because YT is showing ads is just too far fetched.

I hope Chromium loses some market share to FF, but this is just hope and not reality.

Edut: Grammar, my nemesis.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top