Explore critical browser extension security vulnerabilities in this DEF CON conference talk that examines the rise of malicious extensions amid increased browser usage during remote work. Learn about the transition from MV2 to MV3 extension models and discover how attackers bypass security measures while requiring minimal permissions commonly granted to 95% of Chrome store extensions. Understand techniques for unauthorized access to webcam feeds, audio streams, clipboard data, and credential theft from password managers. Dive into methods for circumventing MV3's restrictions on arbitrary code execution and examine how malicious extensions can compromise sensitive data from other extensions, including credit card information, passwords, and OTPs. Gain insights into proposed improvements for the extension security model to address these security gaps and protect users from emerging threats.
Overview
Syllabus
DEF CON 32 - Sneaky Extensions The MV3 Escape Artists - Vivek Ramachandran, Shourya Pratap Singh
Taught by
DEFCONConference