SquareX Discloses Architectural Limitations of Browser DevTools in Debugging Malicious Extensions
Despite the expanding use of browser extensions, the majority of enterprises and individuals still rely on labels such as 'Verified' and 'Chrome Featured' provided by extension stores as a security indicator. The recent Geco Colorpick case exemplifies how these certifications provide nothing more than a false sense of security - Koi Research[1] disclosed 18 malicious extensions that distributed spyware to 2.3M users, with most bearing the well-trusted "Verified" status.
SquareX researchers disclosed the technological reason behind this vulnerability, highlighting an architectural flaw in Browser DevTools that prevents browser vendors and enterprises from performing the thorough security analysis many enterprises expect.
'Aside from the fact that thousands of extension updates and submissions are being made daily, it is simply impossible for browser vendors to monitor and assess an extension's security posture at runtime,' says Nishant Sharma, Head of Security Research at SquareX, 'This is because existing DevTools were designed to inspect web pages. Extensions are complex beasts that can behave dynamically, work across multiple tabs and have 'superpowers' that allow them to easily bypass detection via rudimentary Browser DevTool telemetry.'
In other words, even if browser vendors were not inundated by the sheer quantity of extension submission requests, the architectural limitations of Browser DevTools today would still allow numerous malicious extensions to pass DevTool based security inspections.
Browser DevTools were introduced in the late 2000s, long pre-dating the widespread extension adoption. These tools were invented to help users and web developers debug websites and inspect web page elements. However, browser extensions have unique capabilities to, among others, modify, take screenshots and inject scripts into multiple web pages, which cannot be easily monitored and attributed by Browser DevTools. For example, an extension may make a network request through a web page by injecting a script into the page. With Browser DevTools, there is no way to differentiate network requests made by the web page itself and those by an extension.
Detailed in the technical blog, SquareX's researchers propose a novel approach that uses the combination of a modified browser and Browser AI Agents to plug this gap. The modified browser exposes critical telemetry required to understand an extension's true behavior, while the Browser AI Agent simulates different user personas to incite various extension behaviors at runtime for monitoring and security analysis. This not only allows a dynamic analysis of the extension, but also discoveries of various 'hidden' extension behaviors that are only triggered by time, a certain user action or device environments. Named the Extension Monitoring Sandbox, the research details the necessary modifications required for the modified browser.
The revelation of Browser DevTools' architectural limitations exposes a fundamental security gap that has led to millions of users being compromised. As browser extensions become a core part of the enterprise workflow, it is critical for enterprises to move from superficial labels to solutions specifically designed to tackle extension security. It is absolutely critical for browser vendors, enterprises and security vendors to work closely together in tackling what has become one of the fastest emerging threat vectors.
This August, SquareX is offering a free enterprise-wide extension audit in August. The audit involves conducting an extensive audit of all extensions installed across the organization using all three components of the SquareX Extension Analysis Framework - metadata analysis, static code analysis and dynamic analysis with the Extension Monitoring Sandbox - providing a full analysis of the organization's extension risk exposure and a risk score for each extension.
About SquareX
SquareX's browser extension transforms any browser on any device into an enterprise-grade secure browser. SquareX's industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively detect, mitigate, and threat-hunt client-side web attacks including malicious browser extensions, advanced spearphishing, browser-native ransomware, GenAI data loss prevention, and more.
Unlike legacy security approaches and cumbersome enterprise browsers, SquareX seamlessly integrates with users' existing consumer browsers, ensuring enhanced security without compromising user experience or productivity. By delivering unparalleled visibility and control directly within the browser, SquareX enables security leaders to reduce their attack surface, gain actionable intelligence, and strengthen their enterprise cybersecurity posture against the newest threat vector – the browser.
Contact
Head of PR
Junice Liew
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
2 days ago
- Yahoo
SquareX Discloses Architectural Limitations of Browser DevTools in Debugging Malicious Extensions
PALO ALTO, Calif., July 31, 2025 /PRNewswire/ -- Despite the expanding use of browser extensions, the majority of enterprises and individuals still rely on labels such as "Verified" and "Chrome Featured" provided by extension stores as a security indicator. The recent Geco Colorpick case exemplifies how these certifications provide nothing more than a false sense of security - Koi Research[1] disclosed 18 malicious extensions that distributed spyware to 2.3M users, with most bearing the well-trusted "Verified" status. SquareX researchers disclosed the technological reason behind this vulnerability, highlighting an architectural flaw in Browser DevTools that prevents browser vendors and enterprises from performing the thorough security analysis many enterprises expect. "Aside from the fact that thousands of extension updates and submissions are being made daily, it is simply impossible for browser vendors to monitor and assess an extension's security posture at runtime," says Nishant Sharma, Head of Security Research at SquareX, "This is because existing DevTools were designed to inspect web pages. Extensions are complex beasts that can behave dynamically, work across multiple tabs and have "superpowers" that allow them to easily bypass detection via rudimentary Browser DevTool telemetry." In other words, even if browser vendors were not inundated by the sheer quantity of extension submission requests, the architectural limitations of Browser DevTools today would still allow numerous malicious extensions to pass DevTool based security inspections. Browser DevTools were introduced in the late 2000s, long pre-dating the widespread extension adoption. These tools were invented to help users and web developers debug websites and inspect web page elements. However, browser extensions have unique capabilities to, among others, modify, take screenshots and inject scripts into multiple web pages, which cannot be easily monitored and attributed by Browser DevTools. For example, an extension may make a network request through a web page by injecting a script into the page. With Browser DevTools, there is no way to differentiate network requests made by the web page itself and those by an extension. Detailed in the technical blog, SquareX's researchers propose a novel approach that uses the combination of a modified browser and Browser AI Agents to plug this gap. The modified browser exposes critical telemetry required to understand an extension's true behavior, while the Browser AI Agent simulates different user personas to incite various extension behaviors at runtime for monitoring and security analysis. This not only allows a dynamic analysis of the extension, but also discoveries of various "hidden" extension behaviors that are only triggered by time, a certain user action or device environments. Named the Extension Monitoring Sandbox, the research details the necessary modifications required for the modified browser. The revelation of Browser DevTools' architectural limitations exposes a fundamental security gap that has led to millions of users being compromised. As browser extensions become a core part of the enterprise workflow, it is critical for enterprises to move from superficial labels to solutions specifically designed to tackle extension security. It is absolutely critical for browser vendors, enterprises and security vendors to work closely together in tackling what has become one of the fastest emerging threat vectors. This August, SquareX is offering a free enterprise-wide extension audit in August. The audit involves conducting an extensive audit of all extensions installed across the organization using all three components of the SquareX Extension Analysis Framework - metadata analysis, static code analysis and dynamic analysis with the Extension Monitoring Sandbox - providing a full analysis of the organization's extension risk exposure and a risk score for each extension. About SquareX SquareX's browser extension transforms any browser on any device into an enterprise-grade secure browser. SquareX's industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively detect, mitigate, and threat-hunt client-side web attacks including malicious browser extensions, advanced spearphishing, browser-native ransomware, GenAI data loss prevention, and more. Unlike legacy security approaches and cumbersome enterprise browsers, SquareX seamlessly integrates with users' existing consumer browsers, ensuring enhanced security without compromising user experience or productivity. By delivering unparalleled visibility and control directly within the browser, SquareX enables security leaders to reduce their attack surface, gain actionable intelligence, and strengthen their enterprise cybersecurity posture against the newest threat vector – the browser. More information available at: Reference [1] Contact Head of PRJunice LiewSquareXjunice@ Image - - View original content to download multimedia: SOURCE SquareX
Forbes
4 days ago
- Forbes
Google Chrome Warning—‘Millions Of Users Have Data Stolen'
Be careful what you install. Google has issued an urgent warning for 2 billion Chrome users. A high-severity memory vulnerability could enable attackers to target users through the websites they visit. This has been fixed and all users should update and restart now. CVE-2025-8292 is a critical fix, but there's a much more dangerous threat to Chrome users that is hidden from sight. And so while all desktop users must ensure they move to version 138.0.7204.183/.184 of the browser, that's not enough to stay safe. This threat that should worry you more comes from extensions that might appear to be officially verified, but which have been designed or hijacked to attack your device. 'Millions of users have their data stolen,' SquareX's Vivek Ramachandran told me, as the extension-focused security team released its latest threat report. The alarming reality, he says, is that security tools do not have 'visibility into the dynamic behavior of extensions at run time to protect users against the rising threat vector' The past few years, SquareX says, 'have witnessed a surge in malicious browser extensions, including the Geco Colorpick, Cyberhaven and the Great Suspender. These malicious extensions exfiltrate data, steal session cookies, spread spyware and even hijack browser sessions of victims.' This includes extensions that were dangerous from the get-go, but also 'benign extensions that turned malicious — either due to a compromise or change in ownership — exploiting trusted extensions with a wide existing installed base.' 'Most enterprises still rely on extension store labels like 'Verified' and 'Chrome Featured' to determine its security,' Ramachandran says. 'This research showed that this is approach is extremely flawed as it turns out browser vendors and enterprises do not have sufficient tools to conduct extension analysis.' This latest extension warning from SquareX echoes prior reports that focus on the hidden threats from extensions now installed by most users without any of the checks and balances applied to the browser itself. In a world of increasing AI threats, including the use of marauding browser AI agents, this is a huge risk. 'The majority of extensions today are downloaded and installed from official stores like Chrome Store,' SquareX says. But store badges 'can be easily gamified by attackers with fake reviews and mass downloads. As a result, numerous Verified and Chrome Featured Extensions have been discovered as malicious, including the latest disclosure.' Extensions are often given free rein on devices and can operate with a user's credentials, which is a gift to attacks. 'It is important to first understand the 'superpowers' unique to browser extensions,' Square X warns, including: All told, while updating and restarting Chrome is critical, it could very well be that the real threat to your browser and the data it accesses is hidden from view and constantly working against you. You really do need to be careful what you install.
Business Insider
4 days ago
- Business Insider
SquareX Discloses Architectural Limitations of Browser DevTools in Debugging Malicious Extensions
Palo Alto, California, July 29th, 2025, CyberNewsWire Despite the expanding use of browser extensions, the majority of enterprises and individuals still rely on labels such as 'Verified' and 'Chrome Featured' provided by extension stores as a security indicator. The recent Geco Colorpick case exemplifies how these certifications provide nothing more than a false sense of security - Koi Research[1] disclosed 18 malicious extensions that distributed spyware to 2.3M users, with most bearing the well-trusted "Verified" status. SquareX researchers disclosed the technological reason behind this vulnerability, highlighting an architectural flaw in Browser DevTools that prevents browser vendors and enterprises from performing the thorough security analysis many enterprises expect. 'Aside from the fact that thousands of extension updates and submissions are being made daily, it is simply impossible for browser vendors to monitor and assess an extension's security posture at runtime,' says Nishant Sharma, Head of Security Research at SquareX, 'This is because existing DevTools were designed to inspect web pages. Extensions are complex beasts that can behave dynamically, work across multiple tabs and have 'superpowers' that allow them to easily bypass detection via rudimentary Browser DevTool telemetry.' In other words, even if browser vendors were not inundated by the sheer quantity of extension submission requests, the architectural limitations of Browser DevTools today would still allow numerous malicious extensions to pass DevTool based security inspections. Browser DevTools were introduced in the late 2000s, long pre-dating the widespread extension adoption. These tools were invented to help users and web developers debug websites and inspect web page elements. However, browser extensions have unique capabilities to, among others, modify, take screenshots and inject scripts into multiple web pages, which cannot be easily monitored and attributed by Browser DevTools. For example, an extension may make a network request through a web page by injecting a script into the page. With Browser DevTools, there is no way to differentiate network requests made by the web page itself and those by an extension. Detailed in the technical blog, SquareX's researchers propose a novel approach that uses the combination of a modified browser and Browser AI Agents to plug this gap. The modified browser exposes critical telemetry required to understand an extension's true behavior, while the Browser AI Agent simulates different user personas to incite various extension behaviors at runtime for monitoring and security analysis. This not only allows a dynamic analysis of the extension, but also discoveries of various 'hidden' extension behaviors that are only triggered by time, a certain user action or device environments. Named the Extension Monitoring Sandbox, the research details the necessary modifications required for the modified browser. The revelation of Browser DevTools' architectural limitations exposes a fundamental security gap that has led to millions of users being compromised. As browser extensions become a core part of the enterprise workflow, it is critical for enterprises to move from superficial labels to solutions specifically designed to tackle extension security. It is absolutely critical for browser vendors, enterprises and security vendors to work closely together in tackling what has become one of the fastest emerging threat vectors. This August, SquareX is offering a free enterprise-wide extension audit in August. The audit involves conducting an extensive audit of all extensions installed across the organization using all three components of the SquareX Extension Analysis Framework - metadata analysis, static code analysis and dynamic analysis with the Extension Monitoring Sandbox - providing a full analysis of the organization's extension risk exposure and a risk score for each extension. About SquareX SquareX's browser extension transforms any browser on any device into an enterprise-grade secure browser. SquareX's industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively detect, mitigate, and threat-hunt client-side web attacks including malicious browser extensions, advanced spearphishing, browser-native ransomware, GenAI data loss prevention, and more. Unlike legacy security approaches and cumbersome enterprise browsers, SquareX seamlessly integrates with users' existing consumer browsers, ensuring enhanced security without compromising user experience or productivity. By delivering unparalleled visibility and control directly within the browser, SquareX enables security leaders to reduce their attack surface, gain actionable intelligence, and strengthen their enterprise cybersecurity posture against the newest threat vector – the browser. Contact Head of PR Junice Liew
