Polymorphic Chrome Extension Attack Puts Millions at Risk – Act Now to Protect Your Data

A newly devised “polymorphic” attack has raised alarms within the cybersecurity community, as it allows malicious Chrome extensions to morph into other trusted browser extensions such as password managers, crypto wallets, and banking apps. The attack, uncovered by SquareX Labs, demonstrates the ease with which attackers can steal sensitive user information by impersonating widely-used applications. The research findings highlight the vulnerability of the latest version of Google Chrome, prompting urgent discussions on the need for enhanced browser security measures.

How Does the Polymorphic Attack Work?
The polymorphic attack begins with the submission of a malicious extension to the Chrome Web Store. Disguised as a legitimate tool—such as an AI marketing application—the extension offers promised functionality to trick users into installing and pinning it to their browser. Once installed, the extension abuses the ‘chrome.management’ API to gather a list of other installed extensions.

If the extension does not have direct access to this API, a stealthier method is employed. The extension injects malicious scripts onto web pages the victim visits, attempting to load specific files or URLs associated with popular extensions. If a targeted extension is detected, the list is sent back to an attacker-controlled server.

Based on the information received, attackers can command the malicious extension to morph into one of the detected extensions. For instance, SquareX demonstrated how the attack could impersonate the 1Password password manager. The malicious extension disables the legitimate one through the ‘chrome.management’ API or employs user interface manipulation tactics to hide it from view. Simultaneously, the malicious extension changes its icon, name, and interface to match the real extension, presenting victims with fake login prompts to harvest credentials.

Current Impact and Practicality
SquareX Labs has confirmed that the attack is practical and feasible on the latest version of Chrome. The research findings have been responsibly disclosed to Google, but at the time of writing, no official mitigation measures have been introduced. The attack is particularly concerning because it targets widely-used applications, including password managers, which are considered essential for online security.

Additionally, the ‘chrome.management’ API is classified as “medium risk” by Google, despite its extensive use by popular extensions such as ad blockers and page stylers. This classification has drawn criticism from SquareX researchers, who argue that the API’s capabilities make it a prime target for abuse.

Mitigation Measures and Recommendations
To mitigate the risk posed by polymorphic attacks, SquareX has recommended that Google implement stricter controls on abrupt changes to extension icons, names, and HTML elements. Notifying users of such changes could help detect suspicious activity and prevent impersonation.

Experts also advise users to exercise caution when installing browser extensions, especially those requiring extensive permissions. Regularly reviewing installed extensions and avoiding unnecessary installations can reduce the attack surface.

While users await official fixes from Google, security researchers emphasize the importance of enabling two-factor authentication (2FA) and keeping browser software and extensions up-to-date to minimize the risk of credentials theft.

Future Implications
The emergence of polymorphic attacks highlights the evolving nature of cyber threats targeting everyday users. If left unaddressed, this technique could become more widespread, affecting not only Chrome but other browsers with similar extension architectures.

As browser developers work to enhance security frameworks, users must remain vigilant and adopt best practices for protecting their online accounts. This attack serves as a stark reminder that even trusted applications can be exploited, highlighting the need for continuous security updates and user awareness.

With the growing reliance on browser-based applications for personal and financial transactions, the implementation of robust security measures will be critical in safeguarding sensitive information from emerging threats.

ALSO READ: Protect Your Browser: Lessons from the Chrome 2FA Bypass Attacks