Just like malicious apps on your smartphone, malicious browser extensions can put your devices and the sensitive data stored in your browser at serious risk.
The problem with malicious browser extensions is that, unlike with the apps on your phone, you never see them after installation unless you go into Chrome’s Manage Extensions menu. If these harmful extensions weren’t a big enough problem already, a new polymorphic attack allows them to instantly transform their appearance to mimic the legitimate ones installed in your browser.
As reported by BleepingComputer, the cybersecurity company SquareX Labs devised this new attack as a proof of concept. If it ended up in the hands of hackers, though, it could be really dangerous as malicious extensions could then be used to impersonate the best password managers and other extensions for banking apps, crypto wallets and more, which all store loads of sensitive personal and financial data.
Here’s everything you need to know about this new polymorphic attack and some tips and tricks on staying safe from malicious extensions after your browser data.
Fooling the Chrome Web Store
To pull off this attack, a hacker, scammer or other cybercriminal would first need to submit a malicious extension with polymorphic capabilities to the Chrome Web Store. The extension itself would need to do exactly what its listing page describes for it to bypass Google’s stringent security checks, though.
Once installed, this bad extension then abuses Chrome’s own ‘chrome.management’ API to get a list of all of the other extensions installed in a victim’s browser. If it doesn’t have permission to access this API though, SquareX explains in a blog post that this can be achieved by using a malicious script to load a specific file or URL unique to the legitimate extensions that are being targeted.
From here, this list of installed extensions is then sent back to a hacker-controlled server. If one of the targeted extensions — like 1Password — is installed, the malicious extension then transforms to completely copy it. This includes changing its icon and name to match the real extension.
A fake login popup appears to trick victims into entering their credentials, impersonating the real extension. Since some victims might not login, this attack also uses a fake “Session Expired” prompt to make them think they’ve been logged out.
Now for the kicker. Once a victim has logged in and inadvertently given their credentials over to hackers (or, in this case, SquareX Labs' researchers), the malicious extension then changes back to its original appearance and the real extension is re-enabled. From a victim’s perspective, everything now looks normal, and they might not even realize they’ve been hacked.
Unfortunately, in this case, there’s no immediate fix for this attack since it’s using Chrome’s own API against it as opposed to exploiting a patchable vulnerability. SquareX has reached out to Google, though and has recommended that the company implement specific defenses to protect against this attack.
As it stands now, no protective measures have been implemented by Google to stop a polymorphic browser extension attack like the one described above, but that could change soon. I’ll keep an eye out if and when a fix becomes available to update this story accordingly.
How to stay safe from malicious browser extensions
So, what can you do in the meantime to stay safe from malicious extensions? Well, there are a few steps you can take to avoid installing bad extensions in the first place.
For starters, you want to limit the overall number of extensions you have installed just like you should with the apps on your phone. Ask yourself if you really need an extension first before installing anything. Chances are you might be able to get the same functionality elsewhere without putting your browser data at risk.
If you find an extension you need to install, you will want to scrutinize its rating and reviews first. Since these can be faked, though, it’s also worth taking a close look at the extension’s developer and their past work.
To stay safe from malicious extensions spreading malware and other viruses, you should be using the best antivirus software on your Windows PC or the best Mac antivirus software on your Apple computer. As they can also steal your personal and financial data to commit fraud, it might also be worth investing in one of the best identity theft protection services as they can help you recover your identity and any lost funds after falling victim to a cyberattack.
Browser extensions can be extremely useful, but just like with other software, installing them comes with its own set of risks. If you’re careful online, picky about which extensions you install and take the time to periodically audit all of your existing extensions, you should be safe, though.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
