SquareX Discloses Architectural Limitations of Browser DevTools in Debugging Malicious Extensions
SquareX researchers disclosed the technological reason behind this vulnerability, highlighting an architectural flaw in Browser DevTools that prevents browser vendors and enterprises from performing the thorough security analysis many enterprises expect.
"Aside from the fact that thousands of extension updates and submissions are being made daily, it is simply impossible for browser vendors to monitor and assess an extension's security posture at runtime," says Nishant Sharma, Head of Security Research at SquareX, "This is because existing DevTools were designed to inspect web pages. Extensions are complex beasts that can behave dynamically, work across multiple tabs and have "superpowers" that allow them to easily bypass detection via rudimentary Browser DevTool telemetry."
In other words, even if browser vendors were not inundated by the sheer quantity of extension submission requests, the architectural limitations of Browser DevTools today would still allow numerous malicious extensions to pass DevTool based security inspections.
Browser DevTools were introduced in the late 2000s, long pre-dating the widespread extension adoption. These tools were invented to help users and web developers debug websites and inspect web page elements. However, browser extensions have unique capabilities to, among others, modify, take screenshots and inject scripts into multiple web pages, which cannot be easily monitored and attributed by Browser DevTools. For example, an extension may make a network request through a web page by injecting a script into the page. With Browser DevTools, there is no way to differentiate network requests made by the web page itself and those by an extension.
Detailed in the technical blog, SquareX's researchers propose a novel approach that uses the combination of a modified browser and Browser AI Agents to plug this gap. The modified browser exposes critical telemetry required to understand an extension's true behavior, while the Browser AI Agent simulates different user personas to incite various extension behaviors at runtime for monitoring and security analysis. This not only allows a dynamic analysis of the extension, but also discoveries of various "hidden" extension behaviors that are only triggered by time, a certain user action or device environments. Named the Extension Monitoring Sandbox, the research details the necessary modifications required for the modified browser.
The revelation of Browser DevTools' architectural limitations exposes a fundamental security gap that has led to millions of users being compromised. As browser extensions become a core part of the enterprise workflow, it is critical for enterprises to move from superficial labels to solutions specifically designed to tackle extension security. It is absolutely critical for browser vendors, enterprises and security vendors to work closely together in tackling what has become one of the fastest emerging threat vectors.
This August, SquareX is offering a free enterprise-wide extension audit in August. The audit involves conducting an extensive audit of all extensions installed across the organization using all three components of the SquareX Extension Analysis Framework - metadata analysis, static code analysis and dynamic analysis with the Extension Monitoring Sandbox - providing a full analysis of the organization's extension risk exposure and a risk score for each extension.
About SquareX
SquareX's browser extension transforms any browser on any device into an enterprise-grade secure browser. SquareX's industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively detect, mitigate, and threat-hunt client-side web attacks including malicious browser extensions, advanced spearphishing, browser-native ransomware, GenAI data loss prevention, and more.
Unlike legacy security approaches and cumbersome enterprise browsers, SquareX seamlessly integrates with users' existing consumer browsers, ensuring enhanced security without compromising user experience or productivity. By delivering unparalleled visibility and control directly within the browser, SquareX enables security leaders to reduce their attack surface, gain actionable intelligence, and strengthen their enterprise cybersecurity posture against the newest threat vector – the browser.
More information available at: sqrx.com
Reference
[1] http://www.bleepingcomputer.com/news/security/malicious-chrome-extensions-with-17m-installs-found-on-web-store/
Contact
Head of PRJunice LiewSquareXjunice@sqrx.com
Image - https://mma.prnewswire.com/media/2740082/SquareX.jpgLogo - https://mma.prnewswire.com/media/2697860/5435559/SquareX_Logo.jpg
View original content to download multimedia:https://www.prnewswire.com/news-releases/squarex-discloses-architectural-limitations-of-browser-devtools-in-debugging-malicious-extensions-302518583.html
SOURCE SquareX
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Gizmodo
a minute ago
- Gizmodo
Apple's 2025 MacBook Air M4 Just Got a Surprise Discount for Back-to-School, Too Hot to Stay in Stock
Finding a laptop that feels fast at breakfast, quiet in class, and comfortable on the couch at night is harder than it should be. The Apple 2025 MacBook Air 13-inch Laptop with M4 chip makes that balance feel easy. It wakes instantly, runs cool and quiet, and packs enough power to handle everyday work with room left over for photos, light editing, and a little gaming. The 13-inch size lands in a sweet spot that travels well without shrinking the screen to a squint. Head over to Amazon to get the Apple 2025 MacBook Air 13-inch Laptop with M4 chip for just $800, down from its usual price of $1,000. That's a discount of $200 and 20% off. See at Amazon The design is classic Air. It is thin, sturdy, and light enough to carry everywhere without thinking about it. Open the lid and the bright, sharp display makes documents, videos, and photos look clean and colorful. The keyboard is the kind you can type on for hours, and the large glass trackpad is smooth and precise for scrolling long articles or pinching in on spreadsheets. A 1080p camera and clear microphones keep you looking and sounding good on video calls, even in a room with average lighting. Performance is the quiet kind that shows up all day long. The M4 chip handles dozens of browser tabs, a streaming window, and a big set of notes at the same time without groaning. Apps open quickly, and switching between tasks feels as natural as a swipe. Battery life stretches well past a full day for most people, which means you can leave the charger in the bag and still make it through classes, a shift, or a flight. The everyday conveniences add up. MagSafe helps prevent accidents by snapping the power cord loose if someone trips. Two USB-C ports give you fast data and simple charging on either side, and Bluetooth pairs easily with earbuds for study sessions. AirDrop moves photos and files to your phone in seconds. Handoff lets you pick up an email on the laptop right where you left it on a phone. iCloud keeps notes and documents synced quietly in the background, so the latest draft is always ready. If your current computer drags through simple tasks or runs hot on your lap, this model brings back the calm. It is quick when you need it, quiet when you do not, and light enough to carry every day. The Apple 2025 MacBook Air 13-inch Laptop with M4 chip is still available for $800 at Amazon, a welcome drop from the regular $1,000 price. See at Amazon
TechCrunch
a minute ago
- TechCrunch
Trump says Intel CEO Lip-Bu Tan must ‘resign immediately'
Amidst heightening tensions with China, U.S. President Donald Trump on Thursday insisted that Intel's CEO, Lip-Bu Tan, must step down, accusing Tan of harboring conflicts of interest. 'The CEO of INTEL is highly CONFLICTED and must resign, immediately. There is no other solution to this problem. Thank you for your attention to this problem!' Trump wrote on his social media platform, Truth Social. Trump did not share any evidence or details of why Tan may have conflicts of interest. Trump's post comes after Republican Senator Tom Cotton on Wednesday wrote to Intel's board of directors, asking about Tan's alleged ties to China, his investments in the country, and raised concerns about his time leading Cadence Design Systems, which had a Chinese military university as a customer. Tan, who took over the helm in March, has been focusing on improving efficiency at the chipmaker, which has lost ground to companies like Nvidia and AMD in the AI chip race. Tan has since laid off thousands of staff, spiked plans for new manufacturing plants, and is trying to sell non-core subsidiaries as he tries to return the company to being an engineering-first venture. Notably, Intel was a major part of the Biden administration's CHIPS Act, promised almost $8 billion to set up manufacturing and packaging projects in facilities across Arizona, New Mexico, Ohio, and Oregon. Intel did not immediately return a request for comment.
New York Times
2 minutes ago
- New York Times
Markets Rise, Taking Steeper Tariffs in Stride
Stock markets around the world rose on Thursday, appearing to shrug off the start of steeper U.S. tariffs on dozens of countries. Major indexes in Asia and Europe posted gains. Futures on the S&P 500, which allow investors to bet on the index before the official start of trading in the U.S. climbed 0.6 percent. The premarket rise in the S&P 500 on Thursday came after President Trump offered some exemptions from his proposed tariffs on chip imports to companies that make their products in the U.S. Potential peace talks between Russia and the U.S. also buoyed market sentiment on Thursday. Apple, which because of its size has a big impact on the overall performance of the S&P 500, rose roughly 3 percent, adding to a gain of 5 percent on Wednesday after the company announced a large investment in domestic manufacturing. Shares in TSMC and Samsung, which also have large U.S. manufacturing hubs, also rose. Many investors have come to see potential periods of market volatility — like the tariff rollout — as a buying opportunity, expecting the administration to adjust its policy position to soothe the market. When tariffs were first announced in April, they prompted a sharp sell-off across stocks and bonds before the administration stepped back from its plans. 'After a four-month delay, President Trump's 'Liberation Day' tariffs have been put into effect,' analysts at TD Securities noted, adding that 'while the temptation now is to adjust to the new tariff order and move on, it's not clear that things will be static for long.'
