Security researchers at SquareX Labs have uncovered a dangerous new “polymorphic” attack that allows malicious Chrome extensions to transform themselves into trusted tools like password managers, cryptocurrency wallets, and banking applications.

## How the Attack Works

The attack begins when users install what appears to be a legitimate extension from Chrome’s Web Store—for example, an AI marketing tool. Once installed, the malicious extension uses the ‘chrome.management’ API to identify other extensions on the user’s browser.

If the extension lacks this permission, it can still detect installed extensions by injecting resources into web pages and attempting to load files unique to target extensions.

After identifying valuable targets like password managers, the malicious extension:

1. Disables the legitimate extension
2. Changes its own icon and name to mimic the targeted extension
3. Displays fake login prompts that match the appearance of the legitimate service
4. Captures sensitive credentials through phishing forms
5. Reverts to its original appearance and re-enables the legitimate extension

## Real-World Example

In SquareX’s demonstration, attackers impersonated the 1Password extension by displaying a fake “Session Expired” prompt when users attempted to log into websites. This tricked victims into entering their master password into a phishing form that transmitted the credentials to attackers.

## Mitigation Recommendations

SquareX has responsibly disclosed the vulnerability to Google and recommends:

– Blocking sudden changes to extension icons and HTML
– Implementing user notifications when extensions change appearance
– Reclassifying the ‘chrome.management’ API as high-risk instead of medium-risk

Currently, no measures exist to prevent this type of deceptive impersonation, and the ‘chrome.management’ API remains widely accessible to popular extensions including ad blockers and password managers.