Sneaky Extensions: The MV3 Escape Artists
Ever since the pandemic and the rising popularity of work-from-home and hybrid models, there has been an increase in the usage of browsers, particularly video conferencing and collaboration applications. While some extensions enhance the user experience, some can gravely affect users’ privacy and security.
Over the past few years, extensions have gained recognition for nefarious activities, from simple color picker extensions to productivity-first AI extensions. And now more than ever, attackers are leveraging malicious extensions to steal user data, promote ads, affiliate marketing, and more. Realizing the abuse, Google pivoted from the MV2 model to the latest MV3, providing better security and locking down the extension from running rampant.
While some security measures have been introduced in MV3, it is far from safe. In this talk, we will be demonstrating a suite of attacks, while requiring the least amount of permissions, which 95% of extensions on the Chrome store have. We will showcase stealth stealing of webcam feed, audio streams, clipboard data, and stealing credentials from other extensions like password managers.
MV3 also introduced security measures to block the usage of functions like eval and new Function that allowed arbitrary code execution. We’ll showcase how an extension can still do arbitrary code execution effectively bypassing the MV3 restrictions.
We will also be demonstrating how malicious extensions can interfere with other extensions and steal sensitive information such as Credit card, passwords, OTP, etc, from other extensions.
In this talk, we will also propose changes to the extension security model to prevent the lurking loopholes.
Jeswin Mathai
Jeswin Mathai serves as the Chief Architect at SquareX, where he leads the design and implementation of the company’s infrastructure. Before joining SquareX, he was part of Pentester Academy (acquired by INE) where he was responsible for managing the whole lab platform that was used by thousands of customers from government agencies, Fortune 500 companies, and enterprises from over 140+ countries. A seasoned speaker and researcher, Jeswin has showcased his work at prestigious international stages such as DEFCON China, RootCon, Blackhat Arsenal, and Demo Labs at DEFCON. He has also imparted his knowledge globally, training in-classroom sessions at Black Hat US, Asia, HITB, RootCon, and OWASP NZ Day. Jeswin is also the creator of popular open-source projects such as AWSGoat, AzureGoat, and PAToolkit. He holds a Bachelor’s degree from IIIT Bhubaneswar, where he led the InfoSec Society. In association with CDAC and ISEA, he spearheaded security audits of government portals and orchestrated cybersecurity workshops for government officials. Jeswin’s professional interests are focused on advancing the fields of Cloud Security, Container Security, and Browser Security. Past Open Source Projects: https://github.com/ine-labs/AWSGoat, https://github.com/ine-labs/AzureGoat, https://github.com/pentesteracademy/patoolkit