Polymorphic Extensions: A New Cyber Threat Impersonating Your Add-Ons

In a recent revelation, cybersecurity researchers from sqrx.com have uncovered a sophisticated attack method that enables malicious browser extensions to impersonate legitimate ones, posing significant risks to user security and privacy.  This article will describe the attack and some telltale signs to watch out for to help you protect yourself from harm.​

Understanding the Polymorphic Extension Attack

This novel technique allows a malicious web browser extension to morph into any installed add-on in real-time. The rogue extension creates a pixel-perfect replica of the target’s icon, HTML popup, and workflows, even temporarily disabling the legitimate extension. This deception is highly convincing, leading victims to believe they are interacting with the authentic extension.

The attack primarily targets Chromium-based web browsers, including Google Chrome, Microsoft Edge, Brave, and Opera. Users often pin extensions to the browser’s toolbar for easy access. Attackers exploit this behavior by publishing a polymorphic extension disguised as a utility. While the add-on provides the advertised functionality to avoid suspicion, it activates malicious features in the background. It scans for the presence of web resources that correlate to specific target extensions using a technique called web resource hitting.

Once a suitable target extension is identified, the malicious extension morphs into a replica of the legitimate one. This involves changing the rogue extension’s icon to match that of the target and temporarily disabling the actual add-on via the “chrome.management” API, leading to its removal from the toolbar.

Implications of the Attack

The harvested credentials can be abused by threat actors to hijack online accounts and gain unauthorized access to sensitive personal and financial information. This attack exploits the human tendency to rely on visual cues as confirmation, making it extremely effective.  In the video below, the researchers show this attack prompting a user to re-authenticate to their 1Password password manager, and it includes the requirement for your secret key (something you should not do without absolute certainty).

Mitigation Measures

To protect against such polymorphic extension attacks, users and organizations should consider the following measures:​

• Limit and Scrutinize Extensions Before Installation: Only install extensions from reputable sources and developers. Research each extension for viability and user feedback.  Never install brand new extensions never seen before, no matter what they purport to do.
• Regularly Review Installed Extensions: Periodically check the list of installed extensions and remove any that are no longer needed or appear suspicious.​
• Limit Extension Permissions: Be cautious of extensions that request extensive permissions, especially those that can read and change data on websites you visit.​
• Utilize Security Solutions: Employ Endpoint Detection and Response (EDR) security software such as advanced EDR ​solution.  These now include Browser Security Control services that specifically detect and block malicious extensions.
• Stay Informed: Keep abreast of the latest security advisories and updates related to browser extensions and apply necessary patches promptly.​
• Pay close attention: in the example video from SQRX.com they show a pop-up message from 1Password stating you have been logged out of your extension before prompting you to provide abnormal login credentials which included your Recovery Key.  This is only required during new installations on new devices, not something you would be prompted for from 1Password outside of a fresh install.  Pay attention.

Browser developers are also encouraged to enhance security measures by implementing restrictions on abrupt extension icon and HTML changes or at least notifying users when such changes occur. This proactive approach can help mitigate the risks associated with polymorphic extension attacks.

As the cybersecurity landscape continues to evolve, staying informed and adopting robust security practices are essential to safeguarding against emerging threats like polymorphic extension attacks.

Polymorphic Extension Attack: 1Password Password Manager

Secure your business with CyberHoot Today!!!

Sign Up Now

Not ready to sign up yet, but want to learn more? Attend our monthly webinar to see a demo of CyberHoot, ask questions, and learn what’s new.  Click the Green Box below to Register.  You want to, I can feel it!

Webinar Registration

 Additional Reading:

• The Hacker News: Researchers Expose New Polymorphic Attack That Clones Browser Extensions to Steal Credentials
• BleepingComputer: Malicious Chrome extensions can spoof password managers in new attack