Palo Alto, Singapore, March 6th, 2025 – Browser extensions have emerged as a significant security threat following a series of recent attack disclosures, including Browser Syncjacking and extension infostealers. The research team at SquareX has uncovered a new class of malicious extensions capable of impersonating any extension installed on a victim’s browser, such as password managers and crypto wallets. This sophisticated attack method is designed to deceive users into entering their credentials and sensitive information by mimicking the appearance of legitimate extensions.
These malicious extensions, known as polymorphic extensions, exploit the way users interact with extensions through the browser toolbar. The attack begins with the user innocently installing what appears to be a benign extension, which may initially function as advertised to avoid suspicion. However, behind the scenes, the malicious extension starts analyzing the victim’s browser to identify other extensions installed. Once identified, the polymorphic extension undergoes a transformation to mirror the appearance of the target extension, including changing the icon displayed on the toolbar. This visual deception makes it difficult for users to distinguish between the legitimate and fake extensions, increasing the likelihood of falling victim to the attack.
The implications of this attack are far-reaching, as the polymorphic extension can mimic various types of extensions, including password managers and crypto wallets. By tricking users into entering their master password or authorization credentials, the attacker can gain access to sensitive information and financial assets stored in these tools. Additionally, popular extensions like developer tools and banking applications are also potential targets, posing a significant risk to organizations and individuals alike.
One alarming aspect of this attack is that it only requires medium-risk permissions, making it challenging for security teams to identify malicious intent based on the extension’s code alone. This complexity underscores the need for a browser-native security solution to detect and respond to such attacks effectively. Vivek Ramachandran, the founder of SquareX, emphasizes the urgency of addressing the risks posed by browser extensions, highlighting the importance of proactive security measures to safeguard against evolving threats.
SquareX has engaged with Chrome for responsible disclosure of this vulnerability, recommending measures such as user alerts for extension icon changes and enhanced visibility into changes in HTML elements. These proactive steps aim to prevent attackers from leveraging polymorphic techniques to impersonate legitimate extensions successfully. The company advocates for dynamic analysis of extension behavior at runtime to detect polymorphic tendencies in malicious extensions, emphasizing the need for advanced security measures beyond static analysis and permissions-based policies.
To learn more about polymorphic extensions and the findings from SquareX’s research, visit https://sqrx.com/polymorphic-extensions. SquareX’s Browser Detection and Response (BDR) solution offers a comprehensive approach to browser security, protecting enterprise users against a range of advanced threats, including malicious extensions and other client-side web attacks.
For organizations seeking to enhance their browser security posture and defend against evolving threats, SquareX provides a cutting-edge solution to detect, mitigate, and threat-hunt malicious activities in real-time. With a focus on proactive defense measures and attack-focused security strategies, SquareX empowers enterprises to protect their users and critical assets from sophisticated cyber threats.
Contact Information:
Head of PR
Junice Liew
SquareX
[email protected]