Millions of Google Chrome users faced data theft, according to a new warning
In a recent report, SquareX has raised concerns about the hidden threats posed by browser extensions, often downloaded and installed without proper checks and balances. These extensions, some of which have been verified and featured on Google's Chrome Web Store, have been discovered as malicious, with the latest disclosure being no exception.
Browser extensions, with their unique superpowers, have access to HTTP-only cookies, can bypass cross-origin request restrictions, and observe tab updates, among other privileges. However, the more dangerous threat to Chrome users comes from malicious extensions, even those that appear officially verified.
According to SquareX's latest threat report, millions of users have had their data stolen through malicious browser extensions. To ensure the safety of your data on Google Chrome, it is recommended to install extensions only from the official Chrome Web Store. Carefully review their permissions, ratings, and user reviews, and regularly audit and remove any extensions you no longer use or trust. Additionally, keep all your extensions updated to their latest versions, as updates often patch security vulnerabilities.
Malicious extensions can exploit broad permissions, such as the ability to inspect or modify browser traffic. Therefore, it is crucial to choose extensions that request only the permissions they genuinely need and avoid those with excessive or suspicious access rights. Extensions developed according to the latest Chrome Manifest V3 standard tend to have tighter security controls, which help reduce risks but do not completely eliminate them.
Other steps to protect your data include periodically clearing your browser cache and cookies and testing problematic behavior in incognito mode with extensions disabled. Be cautious about what information you enter or share via extensions, as some may process or transmit sensitive data insecurely. Use reputable privacy-focused extensions known to improve privacy without degrading performance.
Stay alert to phishing campaigns or fake extension links often distributed via email or unofficial channels. Identifying malicious extensions is difficult, but a combination of cautious installation practices, regular management of installed extensions, and leveraging Google’s security ecosystem (e.g., Manifest V3 compliance, Web Store policies) forms the best defense to preserve your data security while using Chrome extensions.
Google has issued an urgent warning for 2 billion Chrome users due to a high-severity memory vulnerability (CVE-2025-8292). It is important to update and restart your browsers to version 138.0.7204.183/.184 as soon as possible.
In the world of increasing AI threats, the use of marauding browser AI agents is a huge risk. Be careful about what you install on your browser, as some extensions are dangerous from the start, while others become malicious due to a compromise or change in ownership. Enterprises often rely on extension store labels like 'Verified' and 'Chrome Featured' to determine an extension’s security, but this approach is flawed, as store badges can be easily manipulated by attackers with fake reviews and mass downloads. Browser vendors and enterprises do not have sufficient tools to conduct extension analysis.
In conclusion, the real threat to your browser and the data it accesses might be hidden and working against you. By following the recommended practices, you can minimise the risks and safeguard your data while using Chrome extensions.
- In the world of data-and-cloud-computing and technology, malicious chrome attacks through browser extensions pose significant cybersecurity threats to millions of users, as illustrated by SquareX's latest report.
- Given the increasing AI threats and the potential danger of marauding browser AI agents, it is crucial for Chrome users to exercise caution when installing extensions, regularly update them, and closely monitor their permissions, as a chrome emergency update may be necessary to mitigate zero-day vulnerabilities.
