DEV Community

Cover image for Security Update on Google Chrome Extensions
Willyam simbolon
Willyam simbolon

Posted on

1

Security Update on Google Chrome Extensions

In November 2024, a report on Google Chrome extensions indicated that the Manifest V3 update, intended to boost security, has yet to fully protect users from data theft and malware. Google introduced Manifest V3 to limit extensions' access to sensitive data and block harmful scripts, but it appears that V3 has not been entirely effective in countering these security threats. Malicious actors continue to exploit Chrome extensions, as many users install extensions without scrutinizing permissions or verifying sources​

Despite the improvements V3 offers, some harmful extensions bypass the security restrictions, accessing private user data or distributing malware. This ongoing issue underscores the difficulty Google faces in balancing functional freedom for developers with robust security protections for users. For developers, responsible coding practices and security measures within extension code are increasingly essential. At the same time, users must stay vigilant about permissions granted to extensions, reducing risks associated with data exposure and malware.
However, recent research underscores ongoing vulnerabilities. For example, a study by SquareX reveals that despite MV3’s security-oriented improvements, malicious extensions can still bypass restrictions, enabling harmful actions such as phishing, unauthorized video stream access, and private data theft. Many security tools, including Endpoint Detection and Response (EDR) and Secure Web Gateways (SWG), struggle to detect such activities, leaving enterprises particularly vulnerable​

Further research is exploring dynamic analysis and machine learning-based policies as solutions. These allow admins to assess Chrome extensions based on permissions, ratings, and update history, potentially blocking malicious actions in real-time. Researchers emphasize that while Manifest V3 improves on privacy compared to its predecessor, more comprehensive policy enforcement and real-time monitoring are necessary to effectively secure users against sophisticated threats

Moving forward, solutions that involve machine learning and dynamic policy enforcement are being explored. These could empower users and administrators with the ability to monitor, approve, or block extensions based on risk factors like permission scope and update history. The findings emphasize that while Manifest V3 is a step in the right direction, the evolving complexity of browser-based threats calls for ongoing, robust advancements in Chrome's security framework.

Heroku

This site is built on Heroku

Join the ranks of developers at Salesforce, Airbase, DEV, and more who deploy their mission critical applications on Heroku. Sign up today and launch your first app!

Get Started

Top comments (0)

AWS Security LIVE!

Tune in for AWS Security LIVE!

Join AWS Security LIVE! for expert insights and actionable tips to protect your organization and keep security teams prepared.

Learn More

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay