Security researcher Wladimir Palant has uncovered numerous malicious extensions in the Chrome Web Store that bypass Google’s prohibition on executing remote code, introduced with Manifest V3. This loophole has allowed threat actors to continue covert activities, including user surveillance, ad fraud, and circumventing web page security restrictions.
Among the most prominent offenders are extensions linked to the company Phoenix Invicta. These plugins employ various mechanisms to execute code fetched from remote servers. For instance, the extension “Volume Booster — Super Sound Booster” demands access to all websites, claiming it is essential for functionality. However, it uses the granted permissions to inject HTML code and bypass Content Security Policy, enabling data theft, ad injection, and even search query redirection.
Other suspicious extensions are associated with Technosense Media. Plugins such as “Flipshope: Price Tracker” and “Adblock all advertisements” collect data on visited web pages and transmit it to third-party servers. Some of these extensions manipulate HTTP request headers, allowing them to bypass security mechanisms, inject advertisements, or carry out fraudulent activities.
Extensions branded under Sweet VPN also raise significant concerns. Their code is intentionally obfuscated, complicating analysis. However, investigations have revealed that these extensions track user activities and alter web page addresses, potentially redirecting users to fraudulent websites or installing spyware trackers.
Despite the restrictions introduced by Manifest V3, Google has yet to devise an effective policy to prevent such abuses. Malicious actors continue to exploit browser APIs and implement unrelated mechanisms to circumvent technical safeguards. This situation underscores the urgent need for stricter oversight of extension security and the development of more robust regulatory measures.
Although some malicious extensions have been removed from the Chrome Web Store, many remain available, posing an ongoing threat to users. This raises critical questions about how long Google will overlook such incidents and whether the company can ultimately provide meaningful protection against these threats.
