Polymorphic Extensions: The Sneaky Extension That Can Impersonate Any Browser Extension
Summary:
Researchers at SquareX have uncovered a new campaign leveraging polymorphic browser extensions to steal credentials and other sensitive data. These malicious extensions can silently impersonate any extension installed on a victim’s browser, creating the illusion that trusted tools like password managers, crypto wallets, or banking apps are requesting sensitive information. The polymorphic extensions craft pixel-perfect replicas of the original extension’s icons, HTML popups, and workflows, making them nearly indistinguishable from legitimate extensions. The attack works by temporarily disabling the legitimate extension and replacing its visual indicators, particularly the pinned tab icons, with deceptive ones. This seamless switch tricks users into unknowingly providing their credentials, which are then stolen by attackers.
Security Officer Comments:
The attack chain initiates when the victim downloads the polymorphic extension, which is disguised as an AI marketing tool and promoted on various social media platforms. During installation, a popup prompts the user to pin the extension for an enhanced experience. To avoid raising suspicion, the extension functions as advertised, offering AI marketing capabilities to the victim. However, in the background, the extension secretly injects a malicious script designed to check for other extensions installed on the victim’s browser, which can later be impersonated in the attack.
SquareX highlighted a potential attack scenario involving the impersonation of a password manager called 1Password. When a victim logs into a page on their browser, the polymorphic extension temporarily disables 1Password, removing it from the pinned tab, while simultaneously changing its own icon to match that of 1Password’s. An HTML popup then appears, informing the victim that they are logged out of 1Password and prompting them to re-login through the extension. When the victim clicks on the fake extension's icon, a pixel-perfect replica of 1Password’s login page is displayed. Unknowingly, the victim enters their username, password, and secret key, which are sent to the attacker’s server. After the credentials are captured, the polymorphic extension reverts to its original appearance and re-enables 1Password, leaving the victim unaware of the theft.
Suggested Corrections:
Users should exercise caution when downloading tools that claim to offer AI marketing capabilities, as these may be used as a gateway for malicious polymorphic extensions. To safeguard against such threats, it is essential to deploy robust browser-native security tools that conduct dynamic analysis of each extension's behavior at runtime. This approach enables the detection of suspicious activities, such as polymorphic behaviors, that may emerge long after the extension has been installed. Furthermore, monitoring for changes in the extension's publisher or code can trigger automated detection workflows, prompting immediate security assessments when any unusual or potentially harmful modifications are detected.
Link(s):
https://labs.sqrx.com/polymorphic-extensions-dd2310006e04
Researchers at SquareX have uncovered a new campaign leveraging polymorphic browser extensions to steal credentials and other sensitive data. These malicious extensions can silently impersonate any extension installed on a victim’s browser, creating the illusion that trusted tools like password managers, crypto wallets, or banking apps are requesting sensitive information. The polymorphic extensions craft pixel-perfect replicas of the original extension’s icons, HTML popups, and workflows, making them nearly indistinguishable from legitimate extensions. The attack works by temporarily disabling the legitimate extension and replacing its visual indicators, particularly the pinned tab icons, with deceptive ones. This seamless switch tricks users into unknowingly providing their credentials, which are then stolen by attackers.
Security Officer Comments:
The attack chain initiates when the victim downloads the polymorphic extension, which is disguised as an AI marketing tool and promoted on various social media platforms. During installation, a popup prompts the user to pin the extension for an enhanced experience. To avoid raising suspicion, the extension functions as advertised, offering AI marketing capabilities to the victim. However, in the background, the extension secretly injects a malicious script designed to check for other extensions installed on the victim’s browser, which can later be impersonated in the attack.
SquareX highlighted a potential attack scenario involving the impersonation of a password manager called 1Password. When a victim logs into a page on their browser, the polymorphic extension temporarily disables 1Password, removing it from the pinned tab, while simultaneously changing its own icon to match that of 1Password’s. An HTML popup then appears, informing the victim that they are logged out of 1Password and prompting them to re-login through the extension. When the victim clicks on the fake extension's icon, a pixel-perfect replica of 1Password’s login page is displayed. Unknowingly, the victim enters their username, password, and secret key, which are sent to the attacker’s server. After the credentials are captured, the polymorphic extension reverts to its original appearance and re-enables 1Password, leaving the victim unaware of the theft.
Suggested Corrections:
Users should exercise caution when downloading tools that claim to offer AI marketing capabilities, as these may be used as a gateway for malicious polymorphic extensions. To safeguard against such threats, it is essential to deploy robust browser-native security tools that conduct dynamic analysis of each extension's behavior at runtime. This approach enables the detection of suspicious activities, such as polymorphic behaviors, that may emerge long after the extension has been installed. Furthermore, monitoring for changes in the extension's publisher or code can trigger automated detection workflows, prompting immediate security assessments when any unusual or potentially harmful modifications are detected.
Link(s):
https://labs.sqrx.com/polymorphic-extensions-dd2310006e04