Palo Alto, Singapore, March 6, 2025, CyberNewswire
Recent attack disclosures such as browser SyncJacking and Extension Infostealers have made browser extensions a major security concern in many organizations. Squarex’s research team will discover new classes of malicious extensions by impersonating any extension installed in the victim’s browser, such as a password manager or a Crypto wallet. These malicious extensions can morph the exact same user interface, icons and text with legitimate extensions, making them a very convincing case for victims to enter their credentials and other sensitive information. This attack affects most major browsers, including Chrome and Edge.
Polymorphic extensions work by taking advantage of the fact that they interact with extensions via what is pinned to the browser toolbar. The attack starts with the user installing a malicious extension. This disguises itself, for example, as a modest AI tool. To make the attack even more convincing, the extension performs AI functions as advertised and remains benign for a given period of time.
However, while all this is happening, the malicious extension will start to understand what other extensions are installed in the victim’s browser. Once identified, the polymorphism extension completely changes its own appearance to look like a target, including the icons that are displayed in the fixed toolbar. You can also temporarily disable the target extension and remove it from the static bar. Given that most users use these icons as visual confirmations to notify which extensions they are interacting with, changing the icon itself may be sufficient to convince the average user that they are clicking on a legitimate extension. Even if the victim moves to the extension dashboard, there is no obvious way to correlate the tools displayed there to the pinned icon. To avoid doubt, malicious extensions can even temporarily disable target extensions, as if the only one with the target icon on the pinned tab.
Critical, polymorphic extensions can impersonate any browser extension. For example, you can mimic a popular password manager and trick the victim into entering your master password. This password can be used by an attacker to log on to the actual password manager and access all the credentials stored in the password vault. Similarly, polymorphism extensions can mimic popular crypto wallets, allowing stolen credentials to be used to approve transactions and send cryptocurrencies to attackers. Other potential targets include developer tools and banking extensions. The attacker provides unauthorized access to the app where sensitive data or financial assets are stored.
Furthermore, this attack requires only medium risk permissions based on Chrome Store classification. Ironically, many of these permissions are used by the password managers themselves and other popular tools such as the ad blockers and page stylers, making it particularly difficult for the Chrome Store and security teams to identify malicious intents simply by looking at the code for the extension.
Vivek Ramachandran, founder of Squarex, said, “Browser extensions presently pose a huge risk to businesses and users. Unfortunately, most organizations have no way of auditing their current extension footprint to see if they are malicious. This further highlights the need for native browser security solutions, such as browser detection and response, just like EDRs operate systems.”
These polymorphism extensions utilize existing features within Chrome to carry out attacks. Therefore, no software bugs are included and no patches can be applied. Squarex recommends that you write to Chrome for responsible disclosure and prohibit or implement user alerts for altering extension icons or sudden changes to HTML. These techniques can be easily exploited by attackers to impersonate other extensions in polymorphic attacks. For businesses, static extended analysis and permission-based policies are no longer sufficient. It is important to have a browser native security tool that can dynamically analyze extension behavior at runtime, including malicious extension polymorphism trends.
For more information about polymorphic extensions, additional findings from this study are available at https://sqrx.com/polymorphic-extensions.
About squarex
Squarex helps organizations detect, mitigate, and threaten client-side web attacks that occur on users in real time, including protecting malicious expansions. In addition to polymorphic attacks, SquareX was also the first to discover and disclose multiple expansion-based attacks, including browser SyncJacking and Chrome Store consent phishing attacks.
Squarex’s industry-first browser detection and response (BDR) solution takes an attack-focused approach to browser security, protecting enterprise users from advanced threats such as malicious QR codes, browser-based malware, malicious files, websites, scripts, and other web attacks.
Additionally, SquareX allows businesses to provide contractors and remote workers with secure access to internal applications, enterprise SAAS, and convert browsers on BYOD/unmanaged devices into trusted browsing sessions.
contact
PR manager
Junice Liew
squarex
junice@sqrx.com
Source link
