How Malicious Browser Extensions Bypass Manifest V3 Security

TLDR: Despite the transition to Manifest V3, browser extensions remain a massive, under-monitored attack surface capable of remote code execution and data exfiltration. Researchers demonstrated how extensions can hijack live video feeds, manipulate password managers, and perform silent account takeovers by abusing inherent browser privileges. Security teams must treat installed extensions as high-risk assets rather than benign productivity tools.

Browser extensions are the ultimate "set it and forget it" security blind spot. We audit our cloud infrastructure, scan our codebases for OWASP Top 10 vulnerabilities, and lock down our CI/CD pipelines, yet we routinely grant third-party JavaScript full access to our browser sessions. The transition to Manifest V3 (MV3) was supposed to mitigate these risks by restricting remote code execution and tightening the permission model. However, as demonstrated at DEF CON 32, these controls are far from a silver bullet.

The Illusion of MV3 Security

The core of the problem lies in the browser’s trust model. Once a user installs an extension, that code operates with a level of privilege that effectively sits above the web page. While MV3 forces developers to move away from eval() and remote script loading, the underlying architecture still allows extensions to inject content scripts into almost any page.

If an extension has the all_urls permission, it can modify the DOM, intercept network requests, and interact with the page's JavaScript context. The researchers showed that even with MV3, an extension can use chrome.scripting.executeScript to run arbitrary logic within the context of a host page. Because the browser treats the extension as a trusted entity, it does not flag these actions as malicious, even when they are clearly performing unauthorized data exfiltration.

Mechanical Exploitation: Beyond the Manifest

The most alarming part of this research is how easily an extension can perform complex, multi-step attacks that mimic legitimate user behavior. Consider the "silent account hijacking" demo. An attacker doesn't need to exploit a complex server-side vulnerability. Instead, they use the extension to:

1. Inject a content script into a target site like GitHub.
2. Parse the DOM to extract user information or check for existing sessions.
3. Open a hidden tab to a sensitive page, such as the repository settings.
4. Submit a form to add a new collaborator, effectively granting the attacker persistent access.

This is essentially browser-based automation, similar to what you might build with Selenium, but running silently in the background of the victim's browser. The extension doesn't need to ask for new permissions at runtime because it already has the necessary access to the host page.

The following snippet illustrates how an extension can manipulate a page's location, a simple but effective technique for redirecting users to a phishing page:

// Simple redirect payload
if (window.location.hostname === 'github.com') {
    window.location.href = 'https://attacker-controlled-site.com';
}

The Password Manager Interference

Password managers are often the last line of defense, but they are not immune to extension-based interference. By injecting a content script, a malicious extension can intercept the click event on a password manager's icon. Instead of triggering the legitimate autofill, the extension redirects the user to a pixel-perfect clone of the login page.

Because the user is already conditioned to trust the browser's UI, they rarely check the URL bar. Once the user enters their credentials into the fake form, the extension captures the data and sends it to an external server. This is a classic T1555-credentials-from-web-browsers attack, but it is executed entirely within the browser's memory space, leaving no trace in traditional network logs.

Real-World Impact for Pentesters

During a red team engagement, browser extensions are an overlooked vector for lateral movement. If you can compromise a developer's machine, you don't necessarily need to dump their memory for cleartext credentials. You can simply install a malicious extension that monitors their browser activity.

The impact is significant. You gain access to their authenticated sessions, their internal tools, and their cloud consoles. You are effectively operating as the user, with all their permissions and access rights. This bypasses MFA, as the session is already established.

Defensive Strategies

Defending against this requires a shift in how we view browser security. We cannot rely on the Chrome Web Store's automated reviews, which are notoriously basic.

1. Restrict Extension Installation: Use Group Policy or MDM to enforce an allow-list of extensions. If an extension isn't business-critical, it shouldn't be installed.
2. Monitor Permissions: Regularly audit the permissions requested by installed extensions. If a simple "color picker" extension is asking for all_urls access, it is a red flag.
3. Endpoint Detection: Use EDR tools to monitor for suspicious browser process behavior, such as unexpected network connections originating from the browser process that don't align with the user's activity.
4. User Education: Teach users to be skeptical of "free" tools that promise premium features. If it sounds too good to be true, it is likely a data-harvesting operation.

The browser is the most important application on the modern workstation. It is time we started treating it with the same level of scrutiny we apply to our servers. If you are interested in the full technical breakdown and the PoC code, the researchers have made their findings available at sqrx.com. Stop assuming your browser is a safe environment and start auditing what you allow to run inside it.