Security Update on Google Chrome Extensions

In November 2024, a report on Google Chrome extensions indicated that the Manifest V3 update, intended to boost security, has yet to fully protect users from data theft and malware. Google introduced Manifest V3 to limit extensions' access to sensitive data and block harmful scripts, but it appears that V3 has not been entirely effective in countering these security threats. Malicious actors continue to exploit Chrome extensions, as many users install extensions without scrutinizing permissions or verifying sources​
​
Despite the improvements V3 offers, some harmful extensions bypass the security restrictions, accessing private user data or distributing malware. This ongoing issue underscores the difficulty Google faces in balancing functional freedom for developers with robust security protections for users. For developers, responsible coding practices and security measures within extension code are increasingly essential. At the same time, users must stay vigilant about permissions granted to extensions, reducing risks associated with data exposure and malware.
However, recent research underscores ongoing vulnerabilities. For example, a study by SquareX reveals that despite MV3’s security-oriented improvements, malicious extensions can still bypass restrictions, enabling harmful actions such as phishing, unauthorized video stream access, and private data theft. Many security tools, including Endpoint Detection and Response (EDR) and Secure Web Gateways (SWG), struggle to detect such activities, leaving enterprises particularly vulnerable​

Further research is exploring dynamic analysis and machine learning-based policies as solutions. These allow admins to assess Chrome extensions based on permissions, ratings, and update history, potentially blocking malicious actions in real-time. Researchers emphasize that while Manifest V3 improves on privacy compared to its predecessor, more comprehensive policy enforcement and real-time monitoring are necessary to effectively secure users against sophisticated threats

Moving forward, solutions that involve machine learning and dynamic policy enforcement are being explored. These could empower users and administrators with the ability to monitor, approve, or block extensions based on risk factors like permission scope and update history. The findings emphasize that while Manifest V3 is a step in the right direction, the evolving complexity of browser-based threats calls for ongoing, robust advancements in Chrome's security framework.