Latest news with #browserextensions
Yahoo
31-07-2025
- Yahoo
SquareX Discloses Architectural Limitations of Browser DevTools in Debugging Malicious Extensions
PALO ALTO, Calif., July 31, 2025 /PRNewswire/ -- Despite the expanding use of browser extensions, the majority of enterprises and individuals still rely on labels such as "Verified" and "Chrome Featured" provided by extension stores as a security indicator. The recent Geco Colorpick case exemplifies how these certifications provide nothing more than a false sense of security - Koi Research[1] disclosed 18 malicious extensions that distributed spyware to 2.3M users, with most bearing the well-trusted "Verified" status. SquareX researchers disclosed the technological reason behind this vulnerability, highlighting an architectural flaw in Browser DevTools that prevents browser vendors and enterprises from performing the thorough security analysis many enterprises expect. "Aside from the fact that thousands of extension updates and submissions are being made daily, it is simply impossible for browser vendors to monitor and assess an extension's security posture at runtime," says Nishant Sharma, Head of Security Research at SquareX, "This is because existing DevTools were designed to inspect web pages. Extensions are complex beasts that can behave dynamically, work across multiple tabs and have "superpowers" that allow them to easily bypass detection via rudimentary Browser DevTool telemetry." In other words, even if browser vendors were not inundated by the sheer quantity of extension submission requests, the architectural limitations of Browser DevTools today would still allow numerous malicious extensions to pass DevTool based security inspections. Browser DevTools were introduced in the late 2000s, long pre-dating the widespread extension adoption. These tools were invented to help users and web developers debug websites and inspect web page elements. However, browser extensions have unique capabilities to, among others, modify, take screenshots and inject scripts into multiple web pages, which cannot be easily monitored and attributed by Browser DevTools. For example, an extension may make a network request through a web page by injecting a script into the page. With Browser DevTools, there is no way to differentiate network requests made by the web page itself and those by an extension. Detailed in the technical blog, SquareX's researchers propose a novel approach that uses the combination of a modified browser and Browser AI Agents to plug this gap. The modified browser exposes critical telemetry required to understand an extension's true behavior, while the Browser AI Agent simulates different user personas to incite various extension behaviors at runtime for monitoring and security analysis. This not only allows a dynamic analysis of the extension, but also discoveries of various "hidden" extension behaviors that are only triggered by time, a certain user action or device environments. Named the Extension Monitoring Sandbox, the research details the necessary modifications required for the modified browser. The revelation of Browser DevTools' architectural limitations exposes a fundamental security gap that has led to millions of users being compromised. As browser extensions become a core part of the enterprise workflow, it is critical for enterprises to move from superficial labels to solutions specifically designed to tackle extension security. It is absolutely critical for browser vendors, enterprises and security vendors to work closely together in tackling what has become one of the fastest emerging threat vectors. This August, SquareX is offering a free enterprise-wide extension audit in August. The audit involves conducting an extensive audit of all extensions installed across the organization using all three components of the SquareX Extension Analysis Framework - metadata analysis, static code analysis and dynamic analysis with the Extension Monitoring Sandbox - providing a full analysis of the organization's extension risk exposure and a risk score for each extension. About SquareX SquareX's browser extension transforms any browser on any device into an enterprise-grade secure browser. SquareX's industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively detect, mitigate, and threat-hunt client-side web attacks including malicious browser extensions, advanced spearphishing, browser-native ransomware, GenAI data loss prevention, and more. Unlike legacy security approaches and cumbersome enterprise browsers, SquareX seamlessly integrates with users' existing consumer browsers, ensuring enhanced security without compromising user experience or productivity. By delivering unparalleled visibility and control directly within the browser, SquareX enables security leaders to reduce their attack surface, gain actionable intelligence, and strengthen their enterprise cybersecurity posture against the newest threat vector – the browser. More information available at: Reference [1] Contact Head of PRJunice LiewSquareXjunice@ Image - - View original content to download multimedia: SOURCE SquareX
Fox News
14-07-2025
- Fox News
Malicious browser extensions caught spying on 2 million users
Every day, millions of people install tiny browser add-ons they believe will improve productivity or entertainment. With so many options available on the Chrome Web Store, users often rely on trust markers like install counts, user reviews and developer reputation to make their choice. Many glance at shiny verification badges and five-star ratings, assume the vetting process was solid, and click "Install" without thinking twice. But attackers have started to exploit these very signals. Researchers recently uncovered a campaign where 18 browser extensions, all listed on the official Chrome and Edge Web Stores, tracked users' online activity. These extensions had already racked up more than 2 million installs. Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my Koi Security researchers discovered that attackers used long-term, strategic tactics to weaponize browser extensions. First, they released functional and legitimate utilities to gain user trust. Over time, these extensions collected positive reviews and built a solid reputation. Then, after months or even years of quiet operation, the attackers pushed a silent update that injected malicious scripts into the trusted codebase. Since these updates came directly from official sources, they easily bypassed corporate firewalls. Unlike phishing emails or shady downloads, the malicious code arrived through routine, automatic updates and raised no immediate red flags. As the investigation progressed, researchers traced suspicious traffic back to a seemingly harmless color picker extension. This led them to a cluster of connected domains, each acting as a command and control hub. These servers recorded every URL users visited and issued commands to force redirects to fake websites or ad-heavy landing pages. Next, the team analyzed the extension's code more closely and uncovered matching fingerprints in several unrelated tools. These included weather widgets, emoji keyboards, video speed controllers and volume boosters. Although they appeared different on the surface, they shared underlying code and behavior. Together, these extensions reached over two million installations. To avoid detection, the attackers used separate branding and categories for each one, making it difficult for marketplace monitors to spot patterns. Even more concerning, many of the extensions carried a verified badge, which shows how attackers manipulated automated review systems using malicious version updates. The first priority for affected users is immediate removal of the listed extensions, followed by thorough cache clearing and full system scans. Check your computer to see if you have any of these malicious extensions, and if you do, get rid of them. If you have any of the extensions linked to the RedDirection campaign installed, take these steps right away to protect your data and devices: 1) Check your accounts for unusual activity: If you accessed sensitive sites (like online banking) while the extension was active, review those accounts for suspicious behavior and change your passwords immediately. Consider using a password manager, which securely stores and generates complex passwords, reducing the risk of password reuse. Check out the best expert-reviewed password managers of 2025 at 2) Enable two-factor authentication (2FA): Add an extra layer of security to your accounts by turning on 2FA wherever it's supported. It can prevent unauthorized access even if your password is compromised. 3) Use strong antivirus software: Even though these malicious extensions come from official stores and update automatically, strong antivirus software can help detect suspicious activities such as hidden trackers, injected scripts or unauthorized redirects. Antivirus adds a crucial layer of protection by scanning for threats that browsers alone might miss, but it should be combined with safe browsing habits for best results. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android & iOS devices at 4) Reset your browser settings: Restoring your browser to its default state can reverse unwanted changes to your homepage, search engine or other settings. 5) Watch for security alerts: Keep an eye on your email and texts for login warnings or access alerts from services you use. These can help you spot unauthorized activity early. 6) Use a browser with extension permission controls: Some browsers let you limit what data extensions can access (e.g., "only on click" or "only on specific sites"). This can reduce the risk of future attacks. Browser extensions can be helpful, but they also carry hidden risks. As this case shows, even trusted tools from official stores can turn malicious without warning. That is why it pays to stay alert, review your extensions regularly, and use strong antivirus protection. A few simple habits can go a long way in keeping your browser and your personal data safe. Do you rely on ratings and reviews when choosing extensions, or do you dig deeper? Let us know by writing us at Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my Copyright 2025 All rights reserved.
