March 6, 2025 By Bill Toulas
A newly devised "polymorphic" attack allows malicious Chrome extensions to morph into other browser extensions, including password managers, crypto wallets, and banking apps, to steal sensitive information.
The attack was devised by SquareX Labs, which warns of its practicality and feasibility on the latest version of Chrome. The researchers have responsibly disclosed the attack to Google.
Shape-shifting Chrome extensions
The attack begins with the submission of the malicious polymorphic extension on Chrome's Web Store.
SquareX uses an AI marketing tool as an example, which offers the promised functionality, tricking victims into installing and pinning the extension on their browser.
To get a list of other installed extension, the malicious extension abuses the the 'chrome.management' API, which it was given access to during installation.
If the malicious extension doesn't have this permission, SquareX says there's a second, stealthier way to achieve the same, involving resource injection onto web pages the victim visits.
The malicious script attempts to load a specific file or URL unique to targetted extensions, and if it loads, it can be concluded that the extension is installed.
