SquareX's research team has uncovered a new attack that allows malicious browser extensions to impersonate legitimate extensions installed on victims' browsers, leading to potential account hijacking, data theft, and financial loss.
The polymorphic extension attack, which affects all Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, and others, takes advantage of the way users typically rely on visual cues, such as extension icons, to interact with browser tools. According to SquareX, the malicious extensions create a pixel-perfect replica of the target extension’s icon, HTML popup, and workflows, even going so far as to temporarily disable the legitimate extension, making it nearly impossible for the victim to distinguish between the two.
The attack works by exploiting a specific behavior in browsers, namely the habit of users pinning frequently used extensions to the browser's toolbar. SquareX researchers have detailed a potential attack scenario in which threat actors publish a seemingly benign polymorphic extension to the Chrome Web Store (or other extension marketplaces) disguised as a utility or tool that performs an innocent task. While the extension operates without raising suspicion in its primary function, it silently activates its malicious capabilities in the background.
The rogue extension scans for web resources linked to known target extensions using a technique called “web resource hitting.” Upon identifying a matching extension, the attack alters the malicious extension to closely mirror the legitimate one. This includes changing the rogue extension’s icon to match that of the target and temporarily disabling the real extension via the “chrome.management” API, which effectively removes it from the user’s toolbar.
“The polymorphic extension attack is extremely powerful as it exploits the human tendency to rely on visual cues as a confirmation. In this case, the extension icons on a pinned bar are used to inform users of the tools they are interacting with. Even if the user did navigate to the extension management dashboard, there is no easy way to correlate the extensions listed there with the pinned icons,” the researchers noted.
