SquareX has highlighted architectural limitations in browser developer tools that hinder the effective debugging and analysis of potentially malicious browser extensions.
According to researchers at SquareX, browser extensions have become ubiquitous tools in both enterprise and consumer environments. However, organisations often rely on trust signals provided by browser extension stores, such as “Verified” or “Chrome Featured” badges, which may not provide genuine assurances about security. The Geco Colourpick case, where 18 malicious extensions distributed spyware to approximately 2.3 million users despite carrying verified statuses, was cited as an example.
SquareX security research has identified a key technological issue that complicates extension analysis. Nishant Sharma, Head of Security Research at SquareX, commented: “Aside from the fact that thousands of extension updates and submissions are being made daily, it is simply impossible for browser vendors to monitor and assess an extension’s security posture at runtime. This is because existing DevTools were designed to inspect web pages. Extensions are complex beasts that can behave dynamically, work across multiple tabs and have ‘superpowers’ that allow them to easily bypass detection via rudimentary Browser DevTool telemetry.”
Sharma added, “In other words, even if browser vendors were not inundated by the sheer quantity of extension submission requests, the architectural limitations of Browser DevTools today would still allow numerous malicious extensions to pass DevTool based security inspections.”
Background to browser DevTools
The current generation of browser developer tools originated in the late 2000s. At that time, they were intended to assist developers and users in debugging websites and inspecting web page elements. Since then, browser extensions have evolved to offer unique capabilities, such as the ability to modify web pages, take screenshots, and inject scripts across multiple sites. These advanced functions cannot be readily tracked or attributed using today’s DevTools.
For example, SquareX notes that when an extension injects a script into a page to execute a network request, existing DevTools cannot determine whether the request originated from the web page itself or from the extension. This lack of distinction makes the detection of malicious behaviour more difficult.
Proposed approach
To address these limitations, SquareX researchers have proposed an alternative framework. Detailed in a recent technical blog, the suggested approach combines a modified browser with AI-driven agents. The modified browser would be engineered to expose telemetry critical to understanding the behaviour of extensions. Meanwhile, the Browser AI Agent would simulate different user profiles to trigger various extension actions during runtime. This enables security teams to perform dynamic analysis and uncover behaviours only activated under certain user actions, timed events, or specific device environments.
This method is termed the Extension Monitoring Sandbox. According to SquareX, the necessary browser modifications and AI-driven simulation strategies outlined in their research are capable of uncovering “hidden” extension activities that would otherwise remain undetected by traditional developer tools.
Enterprise risk
SquareX suggests that this architectural gap in browser devtools has contributed to millions of users being exposed to threats. As browser extensions play an increasingly important role in enterprise operations, the company is urging security teams to go beyond reliance on labels or store badges when assessing risk.
The revelation of Browser DevTools’ architectural limitations exposes a fundamental security gap that has led to millions of users being compromised. As browser extensions become a core part of the enterprise workflow, it is critical for enterprises to move from superficial labels to solutions specifically designed to tackle extension security. It is absolutely critical for browser vendors, enterprises and security vendors to work closely together in tackling what has become one of the fastest emerging threat vectors.
Audit offering
SquareX is offering a complimentary enterprise-wide extension audit for organisations. The audit leverages all three components of the SquareX Extension Analysis Framework – metadata analysis, static code analysis, and dynamic analysis using the Extension Monitoring Sandbox. This process delivers a comprehensive review of all browser extensions in use across an organisation and provides a risk score for each.
The company cites reference material available through public security news sources regarding the prevalence and risk posed by malicious extensions. SquareX continues to promote the need for collaboration between browser vendors, security providers, and enterprises in addressing extension security challenges.