Cybersecurity researchers have uncovered a groundbreaking attack technique that enables a malicious web browser extension to mimic any installed add-on seamlessly. These polymorphic extensions can create pixel-perfect replicas of the target’s icon, HTML popup, workflows, and even temporarily disable the legitimate extension, making it highly convincing for victims.
The stolen credentials can then be exploited by threat actors to compromise online accounts and gain unauthorized access to sensitive personal and financial information. The attack targets all Chromium-based web browsers, including Google Chrome, Microsoft Edge, Brave, Opera, and others.
The strategy hinges on the fact that users commonly pin extensions to their browser’s toolbar. In a hypothetical scenario, threat actors could publish a polymorphic extension to the Chrome Web Store (or any other extension marketplace) disguised as a utility. While the add-on provides the advertised functionality to avoid raising suspicion, it activates its malicious features in the background by actively scanning for web resources that correspond to specific target extensions using a technique known as web resource hitting.
Once a suitable target extension is identified, the attack proceeds to the next stage, morphing the rogue extension into a replica of the legitimate one. This is achieved by changing the malicious extension’s icon to match the target and temporarily disabling the actual add-on via the “chrome.management” API, which removes it from the toolbar.
