2025: The Year of Browser Bugs
In August 2024, we made waves at DEF CON 32 by unveiling Last Mile Reassembly Attacks: a new class of attacks that completely bypass architectural limitations on Secure Web Gateways.
We also demonstrated how malicious extensions can silently add GitHub repo collaborators, mirror Zoom/Google Meet video feeds, and steal user credentials/data despite Chrome's new MV3 framework.
In December 2024, our research team was again first to disclose the OAuth consent phishing attack against Chrome Store developers, a week before the Cyberhaven breach was disclosed.
In 2025, we're solidifying our commitment to helping enterprises protect themselves better with The Year of Browser Bugs. Every month in the year, we'll be releasing new research showcasing different browser vulnerabilities, focusing on attacks that exploit existing functionality and cannot be easily patched. All findings will be documented here, to ensure our bleeding-edge research translates into actionable intelligence for security teams worldwide.
Security Research ExposΓ©s
April 2024
SquareX researchers highlighted that top email providers including Apple, Gmail, Microsoft, and Yahoo - which billions use - failed to detect and block malicious attachments.
SquareX finds security flaws in top email providers
Top email providers Apple, Gmail, Microsoft, and Yahoo - which billions use - failed to detect and block malicious attachments.
Initial Access
Enterprise Impact
Architectural Flaw
August 2024
Unveiled Last Mile Reassembly Attacks: how attackers exploit the architectural limitations of Secure Web Gateways to deliver malware to enterprise users at the DEF CON 32 Main Stage.
Last Mile Reassembly Attacks
A type of cyberattack where the malicious components are assembled directly in the victim's browser from seemingly non-malicious data.
Initial Access
Enterprise Impact
Architectural Flaw
October 2024
The SquareX team demonstrated how despite Google MV3's improved security controls, malicious extensions can still bypass MV3's security controls to compromise users.
Sneaky Extensions: MV3 Vulnerabilities
Despite Chrome's new MV3 framework, malicious extensions can still silently add GitHub repo collaborators, mirror Zoom/Google Meet video feeds and steal other user data.
Initial Access
Enterprise Impact
Architectural Flaw
December 2024
SquareX was the first to sound the alarm on OAuth-based attacks targeting Chrome extension developers, where threat actors used phishing emails to gain access to developers' Chrome Store accounts and push malicious updates to users. A week later, DLP provider Cyberhaven was breached with this exact attack.
OAuth Consent Grant Attacks
An identity attack where threat actors trick victims into granting sensitive permissions via OAuth.
Initial Access
Enterprise Impact
Architectural Flaw
January 2025
SquareX discloses Browser Syncjacking, where a single malicious extension can be used to completely hijack the browser, and eventually, the whole device.
Browser Syncjacking
A single malicious extension can be used to completely hijack the browser, and eventually, the whole device.
Initial Access
Enterprise Impact
Architectural Flaw
February 2025
SquareX discovers how polymorphic extensions impersonate legitimate extensions such as password managers and crypto wallets, leading victims to believe that they are providing credentials to the real extension.
Polymorphic Extensions
Where malicious extensions silently impersonate any extension installed on the victim's browser to harvest credentials.
Initial Access
Enterprise Impact
Architectural Flaw
Upcoming
Stay tuned for our next research finding!
The Solution: Browser Detection and Response
See what SquareX's bleeding-edge Browser Detection and Response (BDRβ’) solution can do for you.
- Highly Granular Extension-based Policies
- Advanced Extension Static Analysis
- Dynamic Analysis
- Browser Extension Policy Library
- Extension Risk Scores
- Shadow SaaS & OAuth Access Control
Click below to request a pilot, or contact us at founder@sqrx.com to learn more.