Latest news with #DevTools
Techday NZ
29-07-2025
- Techday NZ
Browser DevTools' gaps leave millions exposed to threats
SquareX has highlighted architectural limitations in browser developer tools that hinder the effective debugging and analysis of potentially malicious browser extensions. According to researchers at SquareX, browser extensions have become ubiquitous tools in both enterprise and consumer environments. However, organisations often rely on trust signals provided by browser extension stores, such as "Verified" or "Chrome Featured" badges, which may not provide genuine assurances about security. The Geco Colourpick case, where 18 malicious extensions distributed spyware to approximately 2.3 million users despite carrying verified statuses, was cited as an example. SquareX security research has identified a key technological issue that complicates extension analysis. Nishant Sharma, Head of Security Research at SquareX, commented: "Aside from the fact that thousands of extension updates and submissions are being made daily, it is simply impossible for browser vendors to monitor and assess an extension's security posture at runtime. This is because existing DevTools were designed to inspect web pages. Extensions are complex beasts that can behave dynamically, work across multiple tabs and have 'superpowers' that allow them to easily bypass detection via rudimentary Browser DevTool telemetry." Sharma added, "In other words, even if browser vendors were not inundated by the sheer quantity of extension submission requests, the architectural limitations of Browser DevTools today would still allow numerous malicious extensions to pass DevTool based security inspections." Background to browser DevTools The current generation of browser developer tools originated in the late 2000s. At that time, they were intended to assist developers and users in debugging websites and inspecting web page elements. Since then, browser extensions have evolved to offer unique capabilities, such as the ability to modify web pages, take screenshots, and inject scripts across multiple sites. These advanced functions cannot be readily tracked or attributed using today's DevTools. For example, SquareX notes that when an extension injects a script into a page to execute a network request, existing DevTools cannot determine whether the request originated from the web page itself or from the extension. This lack of distinction makes the detection of malicious behaviour more difficult. Proposed approach To address these limitations, SquareX researchers have proposed an alternative framework. Detailed in a recent technical blog, the suggested approach combines a modified browser with AI-driven agents. The modified browser would be engineered to expose telemetry critical to understanding the behaviour of extensions. Meanwhile, the Browser AI Agent would simulate different user profiles to trigger various extension actions during runtime. This enables security teams to perform dynamic analysis and uncover behaviours only activated under certain user actions, timed events, or specific device environments. This method is termed the Extension Monitoring Sandbox. According to SquareX, the necessary browser modifications and AI-driven simulation strategies outlined in their research are capable of uncovering "hidden" extension activities that would otherwise remain undetected by traditional developer tools. Enterprise risk SquareX suggests that this architectural gap in browser devtools has contributed to millions of users being exposed to threats. As browser extensions play an increasingly important role in enterprise operations, the company is urging security teams to go beyond reliance on labels or store badges when assessing risk. The revelation of Browser DevTools' architectural limitations exposes a fundamental security gap that has led to millions of users being compromised. As browser extensions become a core part of the enterprise workflow, it is critical for enterprises to move from superficial labels to solutions specifically designed to tackle extension security. It is absolutely critical for browser vendors, enterprises and security vendors to work closely together in tackling what has become one of the fastest emerging threat vectors. Audit offering SquareX is offering a complimentary enterprise-wide extension audit for organisations. The audit leverages all three components of the SquareX Extension Analysis Framework - metadata analysis, static code analysis, and dynamic analysis using the Extension Monitoring Sandbox. This process delivers a comprehensive review of all browser extensions in use across an organisation and provides a risk score for each. The company cites reference material available through public security news sources regarding the prevalence and risk posed by malicious extensions. SquareX continues to promote the need for collaboration between browser vendors, security providers, and enterprises in addressing extension security challenges.
Business Insider
29-07-2025
- Business Insider
SquareX Discloses Architectural Limitations of Browser DevTools in Debugging Malicious Extensions
Palo Alto, California, July 29th, 2025, CyberNewsWire Despite the expanding use of browser extensions, the majority of enterprises and individuals still rely on labels such as 'Verified' and 'Chrome Featured' provided by extension stores as a security indicator. The recent Geco Colorpick case exemplifies how these certifications provide nothing more than a false sense of security - Koi Research[1] disclosed 18 malicious extensions that distributed spyware to 2.3M users, with most bearing the well-trusted "Verified" status. SquareX researchers disclosed the technological reason behind this vulnerability, highlighting an architectural flaw in Browser DevTools that prevents browser vendors and enterprises from performing the thorough security analysis many enterprises expect. 'Aside from the fact that thousands of extension updates and submissions are being made daily, it is simply impossible for browser vendors to monitor and assess an extension's security posture at runtime,' says Nishant Sharma, Head of Security Research at SquareX, 'This is because existing DevTools were designed to inspect web pages. Extensions are complex beasts that can behave dynamically, work across multiple tabs and have 'superpowers' that allow them to easily bypass detection via rudimentary Browser DevTool telemetry.' In other words, even if browser vendors were not inundated by the sheer quantity of extension submission requests, the architectural limitations of Browser DevTools today would still allow numerous malicious extensions to pass DevTool based security inspections. Browser DevTools were introduced in the late 2000s, long pre-dating the widespread extension adoption. These tools were invented to help users and web developers debug websites and inspect web page elements. However, browser extensions have unique capabilities to, among others, modify, take screenshots and inject scripts into multiple web pages, which cannot be easily monitored and attributed by Browser DevTools. For example, an extension may make a network request through a web page by injecting a script into the page. With Browser DevTools, there is no way to differentiate network requests made by the web page itself and those by an extension. Detailed in the technical blog, SquareX's researchers propose a novel approach that uses the combination of a modified browser and Browser AI Agents to plug this gap. The modified browser exposes critical telemetry required to understand an extension's true behavior, while the Browser AI Agent simulates different user personas to incite various extension behaviors at runtime for monitoring and security analysis. This not only allows a dynamic analysis of the extension, but also discoveries of various 'hidden' extension behaviors that are only triggered by time, a certain user action or device environments. Named the Extension Monitoring Sandbox, the research details the necessary modifications required for the modified browser. The revelation of Browser DevTools' architectural limitations exposes a fundamental security gap that has led to millions of users being compromised. As browser extensions become a core part of the enterprise workflow, it is critical for enterprises to move from superficial labels to solutions specifically designed to tackle extension security. It is absolutely critical for browser vendors, enterprises and security vendors to work closely together in tackling what has become one of the fastest emerging threat vectors. This August, SquareX is offering a free enterprise-wide extension audit in August. The audit involves conducting an extensive audit of all extensions installed across the organization using all three components of the SquareX Extension Analysis Framework - metadata analysis, static code analysis and dynamic analysis with the Extension Monitoring Sandbox - providing a full analysis of the organization's extension risk exposure and a risk score for each extension. About SquareX SquareX's browser extension transforms any browser on any device into an enterprise-grade secure browser. SquareX's industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively detect, mitigate, and threat-hunt client-side web attacks including malicious browser extensions, advanced spearphishing, browser-native ransomware, GenAI data loss prevention, and more. Unlike legacy security approaches and cumbersome enterprise browsers, SquareX seamlessly integrates with users' existing consumer browsers, ensuring enhanced security without compromising user experience or productivity. By delivering unparalleled visibility and control directly within the browser, SquareX enables security leaders to reduce their attack surface, gain actionable intelligence, and strengthen their enterprise cybersecurity posture against the newest threat vector – the browser. Contact Head of PR Junice Liew
Arabian Post
24-06-2025
- Business
- Arabian Post
Avalonia Accelerate Backed by €3 Million Deal from Devolutions
Avalonia UI has secured a €3 million sponsorship deal with Devolutions, the provider of Remote Desktop Manager, to boost the development of the Avalonia Accelerate suite over the next three years. This partnership aims to accelerate improvements in documentation, tooling, and core functionality, benefiting the entire Avalonia community. The alliance between Devolutions and Avalonia arrives as the latter seeks new means to sustain its open‑source framework while delivering advanced capabilities to professional developers. Introduced in April 2025, Avalonia Accelerate's Phase 1 features—such as a 3D DevTools viewer, native WebView integration, and a multimedia control—are key components of the strategic roadmap supported by this sponsorship. Avalonia's leadership emphasises that Devolutions' funding will be directed into three core areas: speeding up development cycles, enriching developer documentation, and expanding tooling infrastructure. The approach aligns with Avalonia's business model of maintaining an open‑source core while offering optional commercial add‑ons like Accelerate and Enterprise Support that underpin long‑term sustainability. Avalonia CEO Mike James, speaking in a recent interview, said this sponsorship 'secures a reliable funding bridge to enable our engineering teams to expand Accelerate capabilities without compromising the open‑source core.' The partnership, he added, aims to 'deliver rapid, measurable improvements in tooling and documentation that benefit all users.' Independent observers note that this steady funding contrasts with Avalonia's earlier funding model, which relied heavily on enterprise support contracts, commercial licences for Avalonia XPF, and occasional donations. ADVERTISEMENT Previously, Avalonia faced financial strain despite a rise in usage and community engagement. By late 2024, enterprise support and custom development revenue represented over 30 percent of income, but lower‑tier indie support schemes accounted for less than 1 percent, prompting the project to adjust its revenue mix. The shift to optional commercial features under Accelerate—such as an improved XAML designer and hot‑reload—was designed to provide professional developers value while preserving free access to the core UI framework. Under the agreement, Devolutions will help fund Accelerate Phase 2 and Phase 3, expected to introduce enhancements like advanced XAML tooling, performance optimisation, and improved cross‑platform support. While specific feature sets remain under development, early roadmap insights hint at capabilities aimed at mobile developers, teams focused on desktop engineering, and web‑embedded scenarios—adding value across sectors. Technologists within the open‑source community note that the Avalonia Accelerate deal demonstrates a viable model for sustaining open‑source frameworks through commercial backing. 'Rather than fragmenting the ecosystem, this is injecting stability,' said one contributor. Long‑time Avalonia developer Nikita Tsukanov remarked, 'With three years of funding, we can plan multi‑phase improvements and dedicate resources to documentation and tooling—areas that were historically underresourced.' Critics of optional‑paid open‑source models warn of risks, citing examples where commercial forks led to fragmentation or slowed community contributions. However, Avalonia's governance ensures that all core features remain MIT‑licensed, and that Accelerate components are independently maintained as non‑open‑source additions. CEO Mike James emphasises that the sponsorship does not alter the free nature of Avalonia; paid tools are entirely optional and are intended to supplement, not supplant, the open‑source foundation. Devolutions, an enterprise software vendor known for Remote Desktop Manager, selected Avalonia due to its role as a core technology in their cross‑platform strategy. Since adopting Avalonia for their UI lifecycles, Devolutions has contributed to its stability and performance. Sponsoring Accelerate reflects a move to deepen that integration, providing a reliable path for feature development aligned with Devolutions' internal roadmap. Avalonia remains one of the cross‑platform UI frameworks, used by organisations ranging from independent developers to firms like Unity, JetBrains, and Schneider Electric. The platform's high GitHub star count and vibrant community have been critical to its ascent, but sustaining complex tools—such as hot‑reload, advanced diagnostics, and rich multimedia—demands stable investment. By channeling sponsorship funds into developer‑centric improvements, the deal seeks to achieve a dual objective: retain and grow community adoption while delivering enterprise‑grade tooling. It enables Avalonia to plan longer‑term enhancements—like XAML designers and AOT compilation—while continuing to ship solid open‑source updates to its MIT‑licensed core.
