SquareX reveals a new attack technique where malicious browser extensions can completely hijack both the browser and a user's device. Researchers demonstrated that browsing permissions, often granted carelessly by users for common tools, can be exploited. The attack allows attackers to escalate privileges with minimal interaction and can start from a seemingly harmless extension. Current submission processes for extensions on the Chrome Store may not effectively prevent these vulnerabilities, making every extension a potential threat.
Critically, the malicious extension only requires read/write capabilities present in the majority of browser extensions on the Chrome Store, including common productivity tools like Grammarly, Calendly and Loom.
To the best of our understanding, extensions submitted to the Chrome Store requesting these capabilities are not put through additional security scrutiny at the time of this writing.
The attack begins with an employee installing any browser extension - this could involve publishing one that masquerades as an AI tool or taking over existing popular extensions.
Researchers debunked the belief that extensions couldn't gain full control of the browser, showing attackers can escalate privileges for a total browser and device takeover.
Collection
[
|
...
]