**SINGAPORE, Singapore, October 3rd, 2024/CyberNewsWire/--**At DEF CON 32, the
SquareX’s research team publicly demonstrated rogue extensions built on MV3. The key findings include:
Browser extensions have long been a target for malicious actors — a Stanford University
In some cases, Google has had to manually remove them, such as the
This allowed malicious actors to easily exploit these vulnerabilities to steal data, inject malware, and access sensitive information. MV3 was introduced to address these problems by tightening security, limiting permissions, and requiring extensions to declare their scripts beforehand.
However, SquareX’s research shows that MV3 falls short in many critical areas, demonstrating how attackers are still able to exploit minimal permissions to carry out malicious activity. Both individual users and enterprises are exposed, even under the newer MV3 framework.
Today's security solutions, such as endpoint security, SASE/SSE, and Secure Web Gateways (SWG), lack visibility into installed browser extensions. There is currently no mature tool or platform capable of dynamically instrumenting these extensions, leaving enterprises without the ability to accurately assess whether an extension is safe or malicious.
SquareX is committed to the highest level of cybersecurity protection for enterprises and has built key innovative features to solve this problem, which include;
These are part of SquareX’s
Vivek Ramachandran , Founder & CEO ofSquareX , warned about the mounting risks: “Browser extensions are a blind spot for EDR/XDR and SWGs have no way to infer their presence. This has made browser extensions a very effective and potent technique to silently be installed and monitor enterprise users, and attackers are leveraging them to monitor communication over web calls, act on the victim’s behalf to give permissions to external parties, steal cookies and other site data and so on.”
“Our research proves that without dynamic analysis and the ability for enterprises to apply stringent policies, it will not be possible to identify and block these attacks. Google MV3, though well intended, is still far away from enforcing security at both a design and implementation phase,” said Vivek Ramachandran.
SquareX's industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware, malicious extensions and other web attacks encompassing malicious files, websites, scripts, and compromised networks.
With SquareX, enterprises can also provide contractors and remote workers with secure access to internal applications, enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions.
Head of PR
Junice Liew
SquareX
This story was distributed as a release by CyberNewsWire under HackerNoon’s Business Blogging Program. Learn more about the program