Researchers reveal data splicing attacks bypassing DLP

SquareX researchers will disclose a new class of data exfiltration techniques, called data splicing attacks, which can bypass major data loss protection (DLP) solutions by exploiting vulnerabilities in web browsers.

Jeswin Mathai and Audrey Adeline, both researchers at SquareX, are set to demonstrate several data splicing attack techniques, under the title "Data Splicing Attacks: Breaking Enterprise DLP from the Inside Out". These techniques reportedly allow attackers to exfiltrate any sensitive file or clipboard data without detection, circumventing controls put in place by DLP vendors listed by market research firm Gartner.

DLP systems are considered fundamental components of enterprise cybersecurity infrastructure, aiming to prevent losses that may include intellectual property theft, regulatory non-compliance, and reputational damage. With an estimated 60% of corporate data now stored in the cloud, web browsers have become the primary interface through which staff create, access, and share corporate information.

Attacks targeting browsers have therefore attracted interest from both external attackers and insiders. SquareX claims that prevailing endpoint and cloud DLP technologies struggle to provide in-depth monitoring or access control of browser-based interactions with sensitive data.

The firm highlights specific complexities in maintaining what it calls data lineage within browsers, including the management of multiple user identities and accounts and the proliferation of both approved and unsanctioned software-as-a-service (SaaS) applications. Unlike managed devices—where IT departments can restrict software installation—users can easily sign up for new SaaS services without the knowledge or oversight of corporate security teams.

Audrey Adeline, Researcher at SquareX, said, "Data splicing attacks are a complete game changer for insider threats and attackers that are seeking to steal information from enterprises. They exploit newer browser features that were invented long after existing DLP solutions and thus the data exfiltrated using these techniques are completely uninspected, resulting in full bypasses. With today's workforce heavily relying on SaaS apps and cloud storage services, any organization that uses the browser is vulnerable to data splicing attacks."

During their presentation, Mathai and Adeline plan to release an open source toolkit called Angry Magpie to enable penetration testers and security teams to assess their own DLP defences against these attacks. According to SquareX, the goal is to highlight the growing threat posed by browsers to corporate data loss and encourage both businesses and software vendors to re-examine existing protective approaches.

Following their research disclosure, the SquareX team is also scheduled to present further findings at RSAC 2025 and will be available for discussions at the event in San Francisco.

Jeswin Mathai serves as Chief Architect at SquareX and has prior experience presenting his work on the international cybersecurity stage, including at DEF CON US, DEF CON China, RootCon, Blackhat Arsenal, Recon Village, and Demo Labs at DEFCON, as well as training sessions at Black Hat US, Asia, HITB, RootCon, and OWASP NZ Day. He has created open-source projects such as AWSGoat, AzureGoat, and PAToolkit.

Audrey Adeline leads the Year of Browser Bugs (YOBB) project at SquareX and is also the author of The Browser Security Field Manual, with her previous disclosures including Polymorphic Extensions, Browser Ransomware and Browser Syncjacking, receiving coverage from publications such as Forbes, Bleeping Computer and Mashable. Adeline has also run cybersecurity workshops with Stanford University and Women in Security and Privacy (WISP), and previously worked as a cybersecurity investor at Sequoia Capital after graduating from the University of Cambridge in Natural Sciences.

SquareX's research team states that its approach involves taking a research and attack-focused perspective on browser security, aiming to continually disclose new vulnerabilities in browser architecture on a monthly basis as part of its Year of Browser Bugs initiative.