Article Details

Researchers Expose New Polymorphic Attack That Clones Browser Extensions to Steal Credentials. Cybersecurity researchers have demonstrated a novel technique that allows a malicious web browser extension to impersonate any installed add-on. "The polymorphic extensions create a pixel perfect replica of the target's icon, HTML popup, workflows and even temporarily disables the legitimate extension, making it extremely convincing for victims to believe that they are providing credentials to the real extension," SquareX said in a report published last week. The harvested credentials could then be abused by the threat actors to hijack online accounts and gain unauthorized access to sensitive personal and financial information. The attack affects all Chromium-based web browsers, including Google Chrome, Microsoft Edge, Brave, Opera, and others. The approach banks on the fact that users commonly pin extensions to the browser's toolbar. In a hypothetical attack scenario, threat actors could publish a polymorphic extension to the Chrome Web Store (or any extension marketplace) and disguise it as a utility. While the add-on provides the advertised functionality so as to not arouse any suspicion, it activates the malicious features in the background by actively scanning for the presence of web resources that correlate to specific target extensions using a technique called web resource hitting. Once a suitable target extension is identified, the attack moves to the next stage, causing it to morph into a replica of the legitimate extension. This is accomplished by changing the rogue extension's icon to match that of the target and temporarily disabling the actual add-on via the "chrome.management" API, which leads to it being removed from the toolbar. "The polymorphic extension attack is extremely powerful as it exploits the human tendency to rely on visual cues as a confirmation," SquareX said. "In this case, the extension icons on a pinned bar are used to inform users of the tools they are interacting with." The findings come a month after the company also disclosed another attack method called Browser Syncjacking that makes it possible to seize control of a victim's device by means of a seemingly innocuous browser extension.