Ethical Hacking News
Malicious Chrome extensions have evolved to impersonate legitimate password managers, crypto wallets, and banking apps in a new attack mechanism that highlights the growing need for enhanced security measures. According to SquareX Labs, Google must act swiftly to implement defenses against such threats.
Malicious Chrome extensions can impersonate legitimate password managers, crypto wallets, and banking apps using a "polymorphic" attack.The attack begins with the submission of malicious extensions on Chrome's Web Store, tricking victims into installing and pinning them to their browser.The 'chrome.management' API is exploited to gain access to sensitive information and impersonate legitimate extensions.Alternative approach: Malicious scripts inject themselves onto web pages visited by users, targeting specific files or URLs unique to legitimate extensions.Attackers commandeer malicious polymorphic extensions to morph into their likeness, deceiving users into believing they are interacting with a legitimate app.Google is urged to implement defenses against such attacks, including blocking abrupt extension icons and HTML changes on installed extensions.The 'chrome.management' API is incorrectly classified as "medium risk," highlighting the need for more stringent security measures.
SquareX Labs, a prominent cybersecurity research organization, has recently uncovered a sophisticated new attack mechanism that enables malicious Chrome extensions to impersonate legitimate password managers, crypto wallets, and banking apps. This groundbreaking finding sheds light on a previously unknown vulnerability in Google's Chrome browser, highlighting the ever-evolving nature of cyber threats.
According to SquareX Labs' researchers, this "polymorphic" attack allows malicious Chrome extensions to morph into browser extensions that mimic the behavior and appearance of legitimate password managers, such as 1Password or LastPass. This sophisticated deception technique can potentially lead to a plethora of consequences for users, including credential theft, phishing attempts, and further compromise of sensitive information.
The attack begins with the submission of the malicious polymorphic extension on Chrome's Web Store. Using an AI marketing tool as an example, SquareX Lab's researchers discovered that this particular extension tricks victims into installing and pinning it to their browser. Upon successful installation, the malicious extension uses various tactics to gain access to sensitive information, including exploiting the 'chrome.management' API.
The 'chrome.management' API, which is intended to manage installed extensions, becomes a critical entry point for SquareX Labs' researchers. By abusing this API, malicious extensions can gain access to a list of other installed extensions on the user's browser. This allows attackers to identify and impersonate legitimate extensions, potentially leading to further deception and exploitation.
However, there's an alternative approach SquareX Lab's researchers identified, which doesn't rely on the 'chrome.management' API. In this scenario, malicious scripts inject themselves onto web pages visited by users, targeting specific files or URLs unique to legitimate extensions. If a malicious script successfully loads these files, it can be concluded that a targeted extension is installed.
Once an attacker identifies a targeted extension, they commandeer the malicious polymorphic extension to morph into its likeness, complete with its icon, name, and behavior. This enables attackers to deceive users into believing they are interacting with their legitimate password manager or other sensitive application.
SquareX Lab's researchers conducted a demonstration of this attack, impersonating 1Password by disabling the legitimate version using the 'chrome.management' API or through user interface manipulation tactics. The malicious extension then switches its icon and name to mimic those of 1Password and creates a fake login popup that resembles the real one.
In an effort to force users into entering their credentials, attackers prompt them with a "Session Expired" message, prompting the victim to log back in through a phishing form that sends inputted credentials back to the attackers. After successfully stealing sensitive information, the malicious extension reverts to its original appearance, and the real extension is re-enabled, leaving everything appearing normal once again.
In light of this new attack mechanism, SquareX Lab's researchers urges Google to implement specific defenses against such attacks. These include blocking abrupt extension icons and HTML changes on installed extensions or at least notifying users when this happens. Unfortunately, as of now, there are no measures in place to prevent deceptive impersonation by malicious Chrome extensions.
Furthermore, the researchers have noted that Google incorrectly classifies the 'chrome.management' API as "medium risk," which is extensively accessed by popular extensions such as page stylers, ad blockers, and password managers. This highlights the need for more stringent security measures to safeguard user data from this kind of attack.
BleepingComputer contacted Google regarding this issue but has yet to receive a response at the time of writing. As with many cybersecurity issues, awareness is key to preventing these kinds of attacks. Users must remain vigilant and up-to-date on the latest security patches and updates for their Chrome browser.
In conclusion, malicious Chrome extensions can now impersonate legitimate password managers in new attack mechanisms. This highlights the need for Google to take immediate action to implement necessary defenses against such threats. The ever-evolving nature of cyber threats emphasizes the importance of ongoing vigilance from users to safeguard sensitive information in this digital landscape.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-Chrome-Extensions-A-New-Layer-of-Deception-in-the-Digital-Landscape-ehn.shtml
https://www.bleepingcomputer.com/news/security/malicious-chrome-extensions-can-spoof-password-managers-in-new-attack/
Published: Thu Mar 6 10:38:00 2025 by llama3.2 3B Q4_K_M
