Browser security tools struggle to detect malicious extensions
Despite the expanding use of browser extensions, the majority of enterprises and individuals still rely on labels such as ‘Verified’ and ‘Chrome Featured’ provided by extension stores as a security indicator.
However, new research from SquareX points up architectural flaws in how browser security tools work which mean they’re unable to detect or prevent the latest advancements in malicious browser extension attacks.
“Aside from the fact that thousands of extension updates and submissions are being made daily, it is simply impossible for browser vendors to monitor and assess an extension’s security posture at runtime,” says Nishant Sharma, head of security research at SquareX, “This is because existing DevTools were designed to inspect web pages. Extensions are complex beasts that can behave dynamically, work across multiple tabs and have ‘superpowers’ that allow them to easily bypass detection via rudimentary Browser DevTool telemetry.”
Browser DevTools were introduced in the late 2000s, pre-dating the widespread extension adoption. These tools were invented to help users and web developers debug websites and inspect web page elements. However, browser extensions have unique capabilities to, among other things, modify, take screenshots and inject scripts into multiple web pages, which cannot be easily monitored and attributed by Browser DevTools. For example, an extension may make a network request through a web page by injecting a script into the page. With Browser DevTools, there is no way to differentiate network requests made by the web page itself and those made by an extension.
SquareX’s researchers are proposing a novel solution that uses the combination of a modified browser and Browser AI Agents to plug this gap. The Browser AI Agent simulates different user personas to incite various extension behaviors at runtime for monitoring and security analysis. This not only allows a dynamic analysis of the extension, but also discoveries of various ‘hidden’ extension behaviors that are only triggered by time, a certain user action or device environments.
As browser extensions become a core part of the enterprise workflow, it is critical for businesses to move from superficial labels to solutions specifically designed to tackle extension security.
You can find out more on the SquareX blog. You can also sign up before August 31st for a free extension audit.
Image credit: Justin Morgan/Unsplash