2 min Security

Chrome extensions remain a threat even after Google’s Manifest V3

Chrome extensions remain a threat even after Google’s Manifest V3

With Manifest V3, Google wants to make Chromium browsers more secure. That’s a relative term, because V3-based extensions are by no means truly safe from security threats.

This is according to research by SquareX. Among other things, extensions can bypass security features and even steal video feeds from Google Meet and Zoom Web without permissions. Also, rogue GitHub users can be added to repositories and redirects to phishing pages are possible, for example toward sites disguised as password managers.

It’s a painful conclusion, especially since security was a key objective for Manifest V3. Moving to V3 also requires a lot of work for developers. As yet, security issues remain as ever, although modified Google policies may yet resolve the circumvention of built-in security features.

Manifesto V3 repeat of V2

There has been much criticism of the oft-delayed Manifesto V3. Despite Google’s intention to make the standard more secure and privacy-sensitive, many popular extensions are in danger of disappearing. For example, uBlock Origin is incompatible with many other adblockers. This has driven Opera, a user of Google’s Chromium codebase, to maintain support for adblockers of its own accord.

Developers thus have to make their extensions compatible with V3, where restrictive rules often prevent them from doing so. A similar problem occurred with Manifest V2, rolled out in 2012. A LastPass developer noted at the time that a significant number of browser users were still using an outdated Chrome browser with Manifest V1, making compatibility for extensions based on V2 a hell of a task. The percentages were admittedly small, but those users still gave terrible reviews, thus leading to some reputational damage for the company.

Google also cleans up on its own

A few months ago, Manifesto V3 also showed Google had to make hard choices within its own extension offerings. Some of its own Chrome extensions will not make the transition from Manifest V2. Is it really such a big job to sort out V3 compatibility?

It seems like it is. For example, no more code that is remotely hosted may be run, as it’s not validated. From now on, an extension can only execute JavaScript that is in the package and thus has gone through the Chrome Web Store review process. Other changes eliminate unnecessary use of resources but require even more manual work by developers.