A newly devised "polymorphic" attack allows malicious Chrome extensions to morph into other browser extensions, including password managers, crypto wallets, and banking apps, to steal sensitive information. The attack was devised by SquareX Labs, which warns of its practicality and feasibility on the latest version of Chrome. The researchers have responsibly disclosed the attack to Google. The attack begins with submitting the malicious polymorphic extension on Chrome's Web Store. [1]
SquareX uses an AI marketing tool as an example, which offers the promised functionality, tricking victims into installing and pinning the extension on their browser. To get a list of other installed extensions, the malicious extension abuses the 'chrome.management' API, which it was given access to during installation. If the malicious extension doesn't have this permission, SquareX says there's a second, stealthier way to achieve the same, involving resource injection onto web pages the victim visits. The malicious script attempts to load a specific file or URL unique to targeted extensions, and if it loads, it can be concluded that the extension is installed.
The list of installed extensions is sent back to an attacker-controlled server. If a targeted one is found, the attackers command the malicious extension to morph into the targeted one. In SquareX's demonstration, the attackers impersonate the 1Password password manager extension by first disabling the legitimate one using the 'chrome.management' API, or if the permissions aren't available, user interface manipulation tactics to hide it from the user.
Simultaneously, the malicious extension switches its icon to mimic that of 1Password, changes its name accordingly, and displays a fake login popup that matches the appearance of the real one. When attempting to log in to a site, a fake "Session Expired" prompt is served to force the user to enter their credentials. This makes the victim think they were logged out. The extension then prompts the user to log back into 1Password through a phishing form that sends the input credentials back to the attackers.
Once the sensitive information is sent to the attackers, the malicious extension reverts to its original appearance, and the actual extension is re-enabled, so everything appears normal again. SquareX recommends that Google implement specific defenses against this attack, such as blocking abrupt extension icons and HTML changes on installed extensions or notifying users when this happens. Currently, there are no measures to prevent this kind of deceptive impersonation. SquareX researchers also noted that Google wrongfully classifies the 'chrome.management' API as "medium risk," it is extensively accessed by popular extensions such as page stylers, ad blockers, and password managers.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
© 2025 Red Sky Alliance Corporation. All rights reserved.
Comments