Manifest V3 Unveiled: Navigating the New Era of Browser Extensions
Nikolaos Pantelaios, Alexandros Kapravelos
TL;DR
The paper investigates the transition from Manifest V2 to Manifest V3 in Chrome extensions, addressing privacy, security, and performance concerns. It combines a dynamic analysis of 517 malicious V2 extensions converted to V3 with adoption metrics and an open-source dataset, using an autoconverter tool to perform the conversions. The study reports that 87.8% of vulnerable APIs are removed in V3, while 29.8% of converted extensions remain malicious, and 56% can still operate via web_accessible_resources. These findings illuminate the security gains of V3 and the ongoing need for monitoring and mitigations as the extension ecosystem evolves.
Abstract
Introduced over a decade ago, Chrome extensions now exceed 200,000 in number. In 2020, Google announced a shift in extension development with Manifest Version 3 (V3), aiming to replace the previous Version 2 (V2) by January 2023. This deadline was later extended to January 2025. The company's decision is grounded in enhancing three main pillars: privacy, security, and performance. This paper presents a comprehensive analysis of the Manifest V3 ecosystem. We start by investigating the adoption rate of V3, detailing the percentage of adoption from its announcement up until 2024. Our findings indicate, prior to the 2023 pause, less than 5% of all extensions had transitioned to V3, despite the looming deadline for the complete removal of V2, while currently nine out of ten new extensions are being uploaded in Manifest V3. Furthermore, we compare the security and privacy enhancements between V2 and V3 and we evaluate the improved security attributable to V3's safer APIs, examining how certain APIs, which were vulnerable or facilitated malicious behavior, have been deprecated or removed in V3. We dynamically execute 517 confirmed malicious extensions and we see a 87.8% removal of APIs related to malicious behavior due to the improvements of V3. We discover that only 154 (29.8%) of these extensions remain functional post-conversion. This analysis leads to the conclusion that V3 reduces the avenues for abuse of such APIs. However, despite the reduction in APIs associated with malicious activities, the new Manifest V3 protocol is not immune to such behavior. Our research demonstrates, through a proof of concept, the adaptability of malicious activities to V3. After the proof of concept changes are applied, we showcase 290 (56%) of the examined malicious extensions retain their capability to conduct harmful activities within the V3 framework.