New Chrome Extension Attack Poses Threat to Password Managers and Crypto Wallets

Cybersecurity researchers have uncovered a new type of attack that enables malicious Chrome extensions to disguise themselves as legitimate ones, including password managers, cryptocurrency wallets, and banking apps, to steal sensitive user information.

SquareX Labs’ attack uses a polymorphic strategy, allowing its malicious extension to change its presentation and operation mechanisms to impersonate trusted programs. SquareX appropriately reported Google to the security flaw, pointing out that the attack works effectively on Chrome’s current version.

How the Attack Works?

The malicious Chrome extension enters the Chrome Web Store via a typical misleading advertisement posing as a valuable product named AI-powered marketing helper. The scanning procedure begins after a user pins and installs the extension in their browser.

SquareX explained that the attack makes advantage of the ‘chrome.management’ API, which gives rogue extensions authority over the installed extension list. Due to a lack of permission access, the assault will take a more stealthy approach, adding scripts that detect target extensions via attempts to access distinctive file and URL patterns.

Following the list’s creation, the targeted information is transferred to an attacker-controlled server. When the malicious extension detects a significant security aim, such as a password manager, it turns into its image.

Mimicking Trusted Extensions

Researchers developed a proof-of-concept experiment to demonstrate how the attack duplicated the behaviour of the 1Password password management plugin.

• Researchers disabled the official 1Password extension using API instructions on ‘chrome.management’. When permissions are denied, the system allows for user interface manipulation.
• The malicious add-on modifies its visual features to closely imitate the 1Password extension presentation.
• A fraudulent 1Password login pop-up that looks just like the authentic UI is displayed.
• Users are vulnerable to credential entry when they receive a “Session Expired” message during website login attempts. The victims believe their session has finished, so they enter their login information into the false form.
• The stolen login data is transmitted to the attacker’s server until the procedure is completed, after which the extension returns to its original state to prevent detection of the genuine 1Password extension.

Currently, Google has yet to implement specific safeguards against this attack. SquareX has proposed security procedures to prevent rapid changes in extension symbols and user interface components, while alerting users to all interface changes.

 The SquareX team objected to Google’s classification of the ‘chrome.management’ API as a “medium risk” since they believe it poses serious security risks to extension users.  Extensive programs that use the API commonly adopt it because password managers and ad blockers rely on it, making it easy for attackers to locate desirable targets.