Cybersecurity experts have unveiled a new method that enables a malicious web browser extension to mimic any installed add-on. “The polymorphic extensions create a pixel perfect replica of the target’s icon, HTML popup, workflows and even temporarily disables the legitimate extension, making it extremely convincing for victims to believe that they are providing credentials to the real extension,” SquareX said in a report published last week.
The stolen credentials could be exploited by attackers to take over online accounts and access sensitive personal and financial data without authorization. This vulnerability impacts all Chromium-based browsers, such as Google Chrome, Microsoft Edge, Brave, Opera, and others.
The technique leverages the common practice of users pinning extensions to their browser toolbars. In a potential attack scenario, cybercriminals could release a polymorphic extension on the Chrome Web Store (or any extension marketplace) disguised as a useful tool.
While the add-on performs its advertised functions to avoid raising suspicion, it secretly activates malicious features by scanning for web resources linked to specific target extensions through a method known as web resource hitting.
Once a target extension is detected, the polymorphic attack progresses to the next phase, transforming the rogue extension into a copy of the legitimate one. This is achieved by altering the rogue extension’s icon to match that of the target and temporarily disabling the genuine add-on using the “chrome.management” API, which results in its removal from the toolbar.
“The polymorphic extension attack is extremely powerful as it exploits the human tendency to rely on visual cues as a confirmation,” SquareX said. “In this case, the extension icons on a pinned bar are used to inform users of the tools they are interacting with.”
These findings follow a recent disclosure by the company regarding another polymorphic attack technique called Browser Syncjacking, which allows attackers to gain control of a victim’s device through a seemingly harmless browser extension.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
