Browser DevTools' gaps leave millions exposed to threats
According to researchers at SquareX, browser extensions have become ubiquitous tools in both enterprise and consumer environments. However, organisations often rely on trust signals provided by browser extension stores, such as "Verified" or "Chrome Featured" badges, which may not provide genuine assurances about security. The Geco Colourpick case, where 18 malicious extensions distributed spyware to approximately 2.3 million users despite carrying verified statuses, was cited as an example.
SquareX security research has identified a key technological issue that complicates extension analysis. Nishant Sharma, Head of Security Research at SquareX, commented: "Aside from the fact that thousands of extension updates and submissions are being made daily, it is simply impossible for browser vendors to monitor and assess an extension's security posture at runtime. This is because existing DevTools were designed to inspect web pages. Extensions are complex beasts that can behave dynamically, work across multiple tabs and have 'superpowers' that allow them to easily bypass detection via rudimentary Browser DevTool telemetry."
Sharma added, "In other words, even if browser vendors were not inundated by the sheer quantity of extension submission requests, the architectural limitations of Browser DevTools today would still allow numerous malicious extensions to pass DevTool based security inspections."
Background to browser DevTools
The current generation of browser developer tools originated in the late 2000s. At that time, they were intended to assist developers and users in debugging websites and inspecting web page elements. Since then, browser extensions have evolved to offer unique capabilities, such as the ability to modify web pages, take screenshots, and inject scripts across multiple sites. These advanced functions cannot be readily tracked or attributed using today's DevTools.
For example, SquareX notes that when an extension injects a script into a page to execute a network request, existing DevTools cannot determine whether the request originated from the web page itself or from the extension. This lack of distinction makes the detection of malicious behaviour more difficult.
Proposed approach
To address these limitations, SquareX researchers have proposed an alternative framework. Detailed in a recent technical blog, the suggested approach combines a modified browser with AI-driven agents. The modified browser would be engineered to expose telemetry critical to understanding the behaviour of extensions. Meanwhile, the Browser AI Agent would simulate different user profiles to trigger various extension actions during runtime. This enables security teams to perform dynamic analysis and uncover behaviours only activated under certain user actions, timed events, or specific device environments.
This method is termed the Extension Monitoring Sandbox. According to SquareX, the necessary browser modifications and AI-driven simulation strategies outlined in their research are capable of uncovering "hidden" extension activities that would otherwise remain undetected by traditional developer tools.
Enterprise risk
SquareX suggests that this architectural gap in browser devtools has contributed to millions of users being exposed to threats. As browser extensions play an increasingly important role in enterprise operations, the company is urging security teams to go beyond reliance on labels or store badges when assessing risk. The revelation of Browser DevTools' architectural limitations exposes a fundamental security gap that has led to millions of users being compromised. As browser extensions become a core part of the enterprise workflow, it is critical for enterprises to move from superficial labels to solutions specifically designed to tackle extension security. It is absolutely critical for browser vendors, enterprises and security vendors to work closely together in tackling what has become one of the fastest emerging threat vectors.
Audit offering
SquareX is offering a complimentary enterprise-wide extension audit for organisations. The audit leverages all three components of the SquareX Extension Analysis Framework - metadata analysis, static code analysis, and dynamic analysis using the Extension Monitoring Sandbox. This process delivers a comprehensive review of all browser extensions in use across an organisation and provides a risk score for each.
The company cites reference material available through public security news sources regarding the prevalence and risk posed by malicious extensions. SquareX continues to promote the need for collaboration between browser vendors, security providers, and enterprises in addressing extension security challenges.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
15 hours ago
- Techday NZ
SquareX to unveil browser, passkey flaws at Black Hat, DEF CON
SquareX researchers are set to present a series of vulnerability disclosures relating to browser security at two major security events in August. During Black Hat USA and DEF CON 33, SquareX will reveal a number of architectural vulnerabilities impacting passkey authentication systems, enterprise data loss prevention solutions, and browser extensions. The company's researchers plan to deliver multiple talks that aim to detail new techniques attackers may use to circumvent existing security measures. Browser-first world At Black Hat USA, the presentation titled "Browser-Native Security in a Browser First World" will be delivered by Vivek Ramachandran, Founder of SquareX. This talk is expected to cover the growing dependency enterprises have on web browsers and the resulting security challenges. With staff reportedly spending up to 80% of their device usage time within browsers, defending against browser-based threats has become a critical concern. Ramachandran's talk will highlight current tactics, techniques, and procedures (TTPs) that enable attackers to bypass technologies such as Secure Access Service Edge (SASE), endpoint detection and response (EDR), and endpoint data loss prevention (DLP) tools. Passkey vulnerabilities DEF CON 33 will feature Shourya Pratap Singh, Jonathan Lin and Daniel Seetoh presenting research under the session title "Passkeys Pwned: Turning WebAuthn Against Itself." This discussion will focus on a new technique designed to subvert passkey authentication. Passkeys, which have seen significant uptake among major technology providers such as Apple, Google, and Microsoft, are promoted as a more secure alternative to traditional passwords. Despite this positioning, SquareX's research asserts that vulnerabilities still exist. "Over the past year, we have been releasing bleeding edge research on architectural browser vulnerabilities as part of the Year of Browser Bugs project. We believe that deeply understanding the attacker mindset is the only way to defend against the newest threat vectors, and we believe that it is critical to share these findings at industry leading conferences like Black Hat and DEF CON. This year's research demonstrates critical gaps that traditional security solutions simply cannot address - everything from passkey to browser extension vulnerabilities. We will also be sharing multiple open source browser-native security tools that enterprises need to plug the browser security gap," said Vivek Ramachandran, Founder of SquareX. Browser extension threats In addition to the mainstage talks, Nishant Sharma and Shourya Pratap Singh will present "Plug and Prey: Scanning and Scoring Browser Extensions" at Recon Village. Their session introduces ExtHuntr, an open-source tool developed to scan for installed browser extensions, analyse their permissions and behaviour, and generate risk scores. ExtHuntr aims to provide security teams with greater visibility into potential risks posed by browser extensions. SquareX will also run a demonstration called "Copycat: Identity Stealer Extension" and a session titled "Angry Magpie: DLP Bypass Simulator" at DEF CON 33 Demo Labs, underscoring the firm's focus on practical, real-world attack simulation tools related to browser security. Cloud security workshop Nishant Sharma, Head of Security Research at SquareX, is scheduled to conduct a workshop at Cloud Village, titled "Serverless but Not Defenceless: A Security Deep Dive into Cloud Run." The workshop will provide attendees with detailed guidance on how to deploy and manage services on Google Cloud Run securely, using principles drawn from DevSecOps and related practices. Security field manual Audrey Adeline, a SquareX researcher, will participate in "The Trailblazer's Guide to Cybersecurity" discussion at Black Hat USA. Topics will include the experiences of professionals who are first-generation entrants to the cybersecurity sector. Adeline will also share information about the release of The Browser Security Field Manual, a book written in collaboration with chief information security officers (CISOs) from Fortune 500 companies and major technology firms. The manual addresses contemporary attacks targeting employees via browsers and provides guidance on defensive techniques. Event schedule In addition to the headline talks, SquareX researchers will lead several demonstration sessions and workshops at both Black Hat USA and DEF CON 33. These include practical labs showing browser-based identity theft and DLP bypass scenarios, as well as further engagements focusing on serverless security and browser-native security tools. The presentations are designed to highlight what SquareX claims are critical gaps in existing security technology, particularly where traditional solutions may not adequately address emerging attack vectors related to browsers, passkeys, and extensions.
Techday NZ
7 days ago
- Techday NZ
Browser DevTools' gaps leave millions exposed to threats
SquareX has highlighted architectural limitations in browser developer tools that hinder the effective debugging and analysis of potentially malicious browser extensions. According to researchers at SquareX, browser extensions have become ubiquitous tools in both enterprise and consumer environments. However, organisations often rely on trust signals provided by browser extension stores, such as "Verified" or "Chrome Featured" badges, which may not provide genuine assurances about security. The Geco Colourpick case, where 18 malicious extensions distributed spyware to approximately 2.3 million users despite carrying verified statuses, was cited as an example. SquareX security research has identified a key technological issue that complicates extension analysis. Nishant Sharma, Head of Security Research at SquareX, commented: "Aside from the fact that thousands of extension updates and submissions are being made daily, it is simply impossible for browser vendors to monitor and assess an extension's security posture at runtime. This is because existing DevTools were designed to inspect web pages. Extensions are complex beasts that can behave dynamically, work across multiple tabs and have 'superpowers' that allow them to easily bypass detection via rudimentary Browser DevTool telemetry." Sharma added, "In other words, even if browser vendors were not inundated by the sheer quantity of extension submission requests, the architectural limitations of Browser DevTools today would still allow numerous malicious extensions to pass DevTool based security inspections." Background to browser DevTools The current generation of browser developer tools originated in the late 2000s. At that time, they were intended to assist developers and users in debugging websites and inspecting web page elements. Since then, browser extensions have evolved to offer unique capabilities, such as the ability to modify web pages, take screenshots, and inject scripts across multiple sites. These advanced functions cannot be readily tracked or attributed using today's DevTools. For example, SquareX notes that when an extension injects a script into a page to execute a network request, existing DevTools cannot determine whether the request originated from the web page itself or from the extension. This lack of distinction makes the detection of malicious behaviour more difficult. Proposed approach To address these limitations, SquareX researchers have proposed an alternative framework. Detailed in a recent technical blog, the suggested approach combines a modified browser with AI-driven agents. The modified browser would be engineered to expose telemetry critical to understanding the behaviour of extensions. Meanwhile, the Browser AI Agent would simulate different user profiles to trigger various extension actions during runtime. This enables security teams to perform dynamic analysis and uncover behaviours only activated under certain user actions, timed events, or specific device environments. This method is termed the Extension Monitoring Sandbox. According to SquareX, the necessary browser modifications and AI-driven simulation strategies outlined in their research are capable of uncovering "hidden" extension activities that would otherwise remain undetected by traditional developer tools. Enterprise risk SquareX suggests that this architectural gap in browser devtools has contributed to millions of users being exposed to threats. As browser extensions play an increasingly important role in enterprise operations, the company is urging security teams to go beyond reliance on labels or store badges when assessing risk. The revelation of Browser DevTools' architectural limitations exposes a fundamental security gap that has led to millions of users being compromised. As browser extensions become a core part of the enterprise workflow, it is critical for enterprises to move from superficial labels to solutions specifically designed to tackle extension security. It is absolutely critical for browser vendors, enterprises and security vendors to work closely together in tackling what has become one of the fastest emerging threat vectors. Audit offering SquareX is offering a complimentary enterprise-wide extension audit for organisations. The audit leverages all three components of the SquareX Extension Analysis Framework - metadata analysis, static code analysis, and dynamic analysis using the Extension Monitoring Sandbox. This process delivers a comprehensive review of all browser extensions in use across an organisation and provides a risk score for each. The company cites reference material available through public security news sources regarding the prevalence and risk posed by malicious extensions. SquareX continues to promote the need for collaboration between browser vendors, security providers, and enterprises in addressing extension security challenges.
NZ Herald
23-07-2025
- NZ Herald
Google's AI investments drive $28.2b profit amid legal battles
Ad revenue at YouTube continues to grow, along with the video platform's subscription services, Alphabet reported. YouTube's ad revenue and premium subscriptions are rising. Photo / Getty Images Alphabet's cloud computing business is on pace to bring in US$50b over the course of the year, according to the company. 'With this strong and growing demand for our cloud products and services, we are increasing our investment in capital expenditures in 2025 to approximately [US]$85 billion and are excited by the opportunity ahead,' Pichai said. Alphabet shares were essentially flat in after-market trades that followed the release of the earnings figures. Investors have been watching closely to see whether the tech giant may be pouring too much money into artificial intelligence and whether AI-generated summaries of search results will translate into fewer opportunities to serve up money-making ads. The internet giant is dabbling with ads in its new AI Mode for online search, a strategic move to fend off competition from ChatGPT while adapting its advertising business for an AI age. The integration of advertising has been a key question accompanying the rise of generative AI chatbots, which have largely avoided interrupting the user experience with marketing messages. However, advertising remains Google's financial bedrock. Google and its rivals are spending billions of dollars on data centres and more for AI, while the rise of DeepSeek, the lower-cost model from China, raises questions about how much needs to be spent. DeepSeek, one of Google's competitors, raises concerns over data centre spending. Photo / Getty Images Anti-trust battles Meanwhile, the online ad business that generates the cash Google invests in its future could be neutered due to a defeat in a US anti-trust case. During the US summer of 2024, Google was found guilty by a federal judge in Washington of illegal practices it used in order to establish and maintain its monopoly in online search. The Justice Department is now demanding remedies that could transform the digital landscape: Google's divestiture from its Chrome browser and a ban on entering exclusivity agreements with smartphone manufacturers to install the search engine by default. District Judge Amit Mehta is considering 'remedies' in a decision expected in the coming days or weeks. In another legal battle, a different US judge ruled this year that Google wielded monopoly power in the online ad technology market, another legal blow that could rattle the tech giant's revenue engine. District Court Judge Leonie Brinkema ruled that Google built an illegal monopoly over ad software and tools used by publishers. Combined, the courtroom defeats have the potential to split Google up and curb its influence. Google said it is appealing both rulings. – Agence France-Presse
