A “Year of Browser Bugs” (YOBB) has been initiated by SquareX. The objective is clear: the web browser must become more secure, as this new endpoint is currently full of bugs and vulnerabilities.
SquareX was founded in 2023 as the first BDR player, or Browser Detection & Response. That naming reveals how the company views web browsers in the IT domain: an endpoint full of dangers, while being used more than any other enterprise app in the world. It appears to be a blind spot for traditional endpoint solutions and even XDR services, which still primarily protect hardware endpoints and networks.
Inspiration from the past
The new YOBB project is inspired by various Month of Bugs (MOB) initiatives. In July 2006, a Month of Browser Bugs already took place, after which the focus shifted to kernel bugs and Apple bugs in November 2006 and January 2007 respectively. According to SquareX, these initiatives raised significant awareness, but attention to browsers seems to have decreased in almost two decades.
SquareX deviates from the focus placed on browser bugs in 2006, as that was centered on the web browser itself. Now the company wants to reveal application-level attacks that are accessible via the browser through websites, apps, or cloud data storage. After all, various services run within browsers where the latter simply serves as a medium.
A question not easily answered is whether attacks have gone unnoticed for a longer time in these regions of the IT infrastructure. It won’t be easy for every organization to understand that securing cloud apps and the browser itself is insufficient. Behavior within the browser is regularly monitored within organizations, but with the multitude of extensions, it’s expected that a party like Google covers this, as well as the Chrome application and the Chromium project itself.
Monthly revelations
Throughout 2025, SquareX’s research team will reveal at least one critical web attack per month as part of the YOBB project. They focus on vulnerabilities that exploit architectural limitations of the browser and existing solutions. This research promises to reveal attack paths that have remained unknown even within the cybersecurity community.
Each revelation will consist of demonstration videos of attacks, technical explanations, and mitigation strategies. These revelations are fully researched and discovered by SquareX; no outside help will be involved.
The year of browser bugs has already begun Incidentally, the year of bugs has already started. Under the YOBB initiative, SquareX has already made important revelations. In January, for example, the company revealed ‘browser syncjacking,’ a new attack technique that gave malicious actors control over both the browser and other applications on an endpoint. In February, polymorphic extensions followed, which can adapt infostealers in any browser extension. This puts password managers and wallets at risk, with all the consequences that entails.
The list of discoveries goes back even further. In 2024, SquareX already discovered a critical flaw in Secure Web Gateways (August) and the OAuth Identity Attack by Cyberhaven (December).
A call to action
As browsers become the new endpoint, attackers are increasingly targeting employees to break into organizations and steal data. A clear example of this is the Cyberhaven incident, according to Vivek Ramachandran, founder and CEO of SquareX. Unfortunately, apart from attention in mainstream media, little is being done by vendors from a security perspective to prevent similar exploits in the future.
Ramachandran adds that YOBB is an attempt by SquareX to draw attention to an exponentially growing attack surface. The wording could hardly be more ominous. It’s possible that other security specialists will feel called upon to strengthen the hunt for browser bugs in the coming twelve months.
Also read: Google actively identifies exploited zeroday in Chrome browser