Abstract

Ever since the pandemic and the rising popularity of work-from-home and hybrid models, there has been an increase in the usage of browsers, particularly video conferencing and collaboration applications. While some extensions enhance the user experience, some can gravely affect users’ privacy and security.

Over the past few years, extensions have gained recognition for nefarious activities, from simple color picker extensions to productivity-first AI extensions. And now more than ever, attackers are leveraging malicious extensions to steal user data, promote ads, affiliate marketing, and more. Realizing the abuse, Google pivoted from the MV2 model to the latest MV3, providing better security and locking down the extension from running rampant. While some security measures have been introduced in MV3, it is far from safe. In this talk, we will be demonstrating a suite of attacks, while requiring the least amount of permissions, which 95% of extensions on the Chrome store have. We will showcase stealth stealing of webcam feed, audio streams, clipboard data, and stealing credentials from other extensions like password managers.

MV3 also introduced security measures to block the usage of functions like eval and new Function that allowed arbitrary code execution. We’ll showcase how an extension can still do arbitrary code execution effectively bypassing the MV3 restrictions.

In this talk, we will also propose changes to the extension security model to prevent the lurking loopholes. We will also be demonstrating how malicious extensions can interfere with other extensions and steal sensitive information such as Credit card, passwords, OTP, etc, from other extensions.