A newly created polymorphic attack enables malicious Chrome extensions to enter other browser extensions. This could be crypto wallets, password managers, or any kind of banking application that steals sensitive information.
This kind of attack was first spotted by SquareX Labs, which warned about the practicality and feasibility across the newest version for Chrome. As per researchers, they have a serious responsibility to disclose these types of attack, taking over Google's browser.
The attack starts with the submission of the malicious polymorphic extensions across Chrome’s Web Store. The company explained how it uses AI-based marketing tools as examples that offer promised functionalities and trick victims into downloading and pinning extensions on the browser.
To get a complete list of the installed extensions, these malicious extension abuses the whole Chrome management API, which they provided access to during downloads. If such extensions don’t get the right type of permissions, then SquareX mentions there is a second option to achieve similar results. It entails resource injections on the web pages that every victim pays a visit to.
Such malicious scripts attempt to load certain files or URLs that are unique to specific extensions. When they load, we can conclude that the extension gets installed. The list of downloaded extensions is returned back to the attacker's server. If a targeted one is retrieved, the attackers command the malware to morph into the targeted browser.
In the demo outlined by SquareX, the attackers were seen impersonating the 1Password manager extension by disabling the real one through Chrome. management API. If the permissions are not available, the user interface manipulation tactics are designed to hide it from users.
Simultaneously, the malicious extension switches the icon to mimic that seen on 1Password. The name changes according to that and it displays fake login popups that match the appearance of the actual one.
To force users into entering the right credentials, when attempting to log in to a website, the prompt shows up that says ‘Session Expired’ that is fake. It makes the target feel they were logged out, but that’s not the case.
This prompts users to log back into 1Password via phishing forms that send input credentials back towards the attackers. Once the sensitive data is shared with attackers, the malicious extension returns to the actual appearance and the real extensions get re-enabled. Everything begins to show up to normalcy again.
A demo for such attacks was also shared that shows how exactly the malware extension can impersonate 1Password with ease. SquareX sent out recommendations that Google roll out the right guardrails against such attacks. This includes blocking extension icons and HTML changes across installed extensions or alerting users about when or if it happens.
Security experts also noted how Google incorrectly classified the API for Chrome as medium risk and it’s usually accessed via popular extensions, including password managers, ad blockers and page stylers.
Read next: LinkedIn’s Latest EU Disclosure Report Sees Growth in Users and Rise in Spam and Fake Profiles
This kind of attack was first spotted by SquareX Labs, which warned about the practicality and feasibility across the newest version for Chrome. As per researchers, they have a serious responsibility to disclose these types of attack, taking over Google's browser.
The attack starts with the submission of the malicious polymorphic extensions across Chrome’s Web Store. The company explained how it uses AI-based marketing tools as examples that offer promised functionalities and trick victims into downloading and pinning extensions on the browser.
To get a complete list of the installed extensions, these malicious extension abuses the whole Chrome management API, which they provided access to during downloads. If such extensions don’t get the right type of permissions, then SquareX mentions there is a second option to achieve similar results. It entails resource injections on the web pages that every victim pays a visit to.
Such malicious scripts attempt to load certain files or URLs that are unique to specific extensions. When they load, we can conclude that the extension gets installed. The list of downloaded extensions is returned back to the attacker's server. If a targeted one is retrieved, the attackers command the malware to morph into the targeted browser.
In the demo outlined by SquareX, the attackers were seen impersonating the 1Password manager extension by disabling the real one through Chrome. management API. If the permissions are not available, the user interface manipulation tactics are designed to hide it from users.
Simultaneously, the malicious extension switches the icon to mimic that seen on 1Password. The name changes according to that and it displays fake login popups that match the appearance of the actual one.
To force users into entering the right credentials, when attempting to log in to a website, the prompt shows up that says ‘Session Expired’ that is fake. It makes the target feel they were logged out, but that’s not the case.
This prompts users to log back into 1Password via phishing forms that send input credentials back towards the attackers. Once the sensitive data is shared with attackers, the malicious extension returns to the actual appearance and the real extensions get re-enabled. Everything begins to show up to normalcy again.
A demo for such attacks was also shared that shows how exactly the malware extension can impersonate 1Password with ease. SquareX sent out recommendations that Google roll out the right guardrails against such attacks. This includes blocking extension icons and HTML changes across installed extensions or alerting users about when or if it happens.
Security experts also noted how Google incorrectly classified the API for Chrome as medium risk and it’s usually accessed via popular extensions, including password managers, ad blockers and page stylers.
Read next: LinkedIn’s Latest EU Disclosure Report Sees Growth in Users and Rise in Spam and Fake Profiles
