As “sneaky” attacks go, this one takes some beating. A new report suddenly warns that a fundamental vulnerability in the way Google Chrome and other Chromium browsers work means password managers, crypto wallets and other sensitive data is at risk. Just a single click on a malicious prompt could see you lose all your passwords. And the same attack can break into banking apps, crypto wallets and file stores.
Google Updates Unbeatable Pixel—Samsung Must Catch Up Fast
The report comes by way of SquareX, whose research team “discovered a way for malicious extensions to silently impersonate any extension installed on the victim’s browser.” The company’s CEO warned me that “solving this will require a major overhaul to ensure that such attacks are not possible.” In short, users are tricked into installing benign extensions for their browser which perform useful tasks as expected. But once installed, the extension changes its form and icon to perfectly mimic any of your most sensitive apps. When you next click, you fall victim.
“Imagine that your AI transcriber tool shapeshifts into your password manager,” the report says, “then your crypto wallet and finally into your banking app — all without your knowledge. This is exactly what polymorphic extensions can do.”
These replica extensions are frighteningly good. Just as with other attacks, AI makes detection immeasurably harder. “A pixel perfect replica of the target’s icon, HTML popup, workflows and even temporarily disables the legitimate extension, making it extremely convincing for victims to believe that they are providing credentials to the real extension. These credentials can then be used by attackers to access all the sensitive information, credentials and financial assets stored in the victim’s account.”
SquareX’s report sets out the methodology whereby an entire password vault can be stolen. Step by step. And all it takes is a misjudged click.
“1. Attacker creates and publishes the polymorphic extension on Chrome Store, disguised as an AI marketing tool.
2. Through various social engineering tactics (e.g. social media), the victim discovers and installs the extension from Chrome Store.
3. During the installation process, a popup appears to prompt the user to pin the extension for a better experience.
4. The extension functions as promised, providing AI marketing capabilities to the victim to stay under the radar.”
With that killer click, the attack determines “which extension to impersonate.” The trojan extension should not be able to report back on other extensions installed — but it can. “While direct monitoring of other extensions is banned by the Chrome extension subsystem, there are other ways that this can happen. The first way is to use the chrome.management API, an API used by many admin tools to manage installed applications, including browser extensions. The second, more stealthy way, is to use a technique called web resource hitting to identify the presence of unique web resources associated with known target extensions.”
SquareX uses the example of popular 1Password. “Detecting a PNG file containing 1Password’s logo likely means that the password manager is installed in the victim’s browser.” With that done, the next stage of the attack can begin:
“5. The malicious extension injects a script into any open tab in the victim’s browser, which instructs the webpage to check for the presence of web resources that correlate to specific target extensions, in this case 1Password.
6. The results from this web resource hitting exercise is sent back to the attacker’s server. If a target is identified, the attacker will proceed to phase 3. If not, the polymorphic extension will remain dormant, periodically injecting the same script until a suitable target gets installed.
7. The victim lands on the login page of a SaaS app (e.g. Salesforce) and clicks on the login form.
8. This triggers the polymorphic extension to:
- Temporarily disable 1Password, removing it from the pinned tab
- Impersonate 1Password, most importantly its icon on the pinned tab
9. A HTML popup appears that says the victim is logged out of 1Password and prompts the victim to re-login into 1Password through the extension.
10. The victim clicks on the fake extension’s icon, opening up a pixel perfect replica of 1Password’s login page.
11. Unknowingly, the victim enters their username, password and secret key, which is sent to the attacker’s server.
12. Once the credentials are submitted, the polymorphic extension shifts back to its original appearance and re-enables 1Password.
13. The real 1Password autofills the victim’s Salesforce credentials, allowing them to log in without any suspicion that the sequence has been tampered with.”
All of the passwords stored in the password manager can now be used to log into other platforms, “to exfiltrate data or even impersonate the victim to propagate phishing campaigns to the victim’s contacts.”
This isn’t just a password attack, of course. The same approach can be used to initiate crypto wallet transfers, access a victim’s banking apps, and steal documents. The research team point to “the human tendency to rely on visual cues as a confirmation” as the reason the threat from this new atack is so dangerous. Clearly, the risk lies in the initial extension installation and then the single click prompt. This is just the latest extension warning to hit users in recent months.
Microsoft’s Free Windows Upgrade—When Does Offer Expire?
While this isn’t just a Chrome issue, that browser remains the gorilla in the cage when it comes to Chromium, dominating the market. SquareX says that “given that the attack exploits a legitimate functionality in Chrome, this attack cannot be solved by patching the browser. We have, however, written to Chrome for responsible disclosure.”
I have asked Google for any comments on the new report.
“Millions of people rely on browser extension based password managers and crypto wallets to store valuable credentials and assets,” SquareX’s Vivek Ramachandran told me. “These credentials can then provide the attacker full unauthorized access to the target extension and do everything from exfiltrating all credentials stored in the password manager to emptying the victim’s crypto wallet.”
