- Labels like “verified” give a false feeling of security but do not reflect real extension behavior
- The Devtools browser has never been supposed to follow how extensions behave through the tabs and over time
- Malventy extensions often act normally until specific triggers make their characteristics hidden.
The uncontrolled propagation of malicious browser extensions continues to expose users to spy software and other threats, largely due to deep defects in the way the software manages extension security.
New research from Squarex claim that many people are still counting on superficial trusted markers such as “verified” or “featured chrome”, which have failed to prevent a generalized compromise.
These markers, although intended to reassure users, often offer little understanding of the real behavior of an extension.
The labels offer little protection against dynamic threats
A central number lies within the Devtools browser limits, designed at the end of the 2000s for the debugging web pages.
These tools have never been supposed to inspect the much more complex behavior of modern browser extensions, which can run scripts, take screenshots and work through tabs, existing Devtools actions have trouble tracing or attributing.
This creates an environment where malware can remain hidden, even if they collect data or handle web content.
The failure of these Devtools lies in their inability to provide telemetry that isolates the extension behavior of standard web activity.
For example, when a script is injected into a web page by an extension, Devtools does not have the means to distinguish it from the native functions of the page.
The GECO COLORPICK incident offers an example of the way in which trusted indicators can fail catastrophically – according to the results of Koi Research, 18 malicious extensions were able to distribute spy software to 2.3 million users, despite the transport of the very visible “verified” label.
To solve this problem, Squarex proposed a new frame involving a modified browser and what he calls the AI agents of the browser.
This combination is designed to simulate various user behavior and conditions, by drawing hidden or delayed responses from extensions.
The approach is part of what Squarex Terme the extension monitoring sandbox, a configuration which allows a dynamic analysis based on real -time activity rather than on a static code inspection.
Currently, many organizations continue to rely on free antivirus tools or integrated browser protections that cannot follow the landscape of evolving threats.
The gap between perceived and real security makes individuals and vulnerable companies.
It remains to be seen the long -term impact of this initiative, but it reflects increasing recognition that browser -based threats require more than superficial guarantees.
