Summary: A new “polymorphic” attack allows malicious Chrome extensions to disguise themselves as legitimate ones, such as password managers, to steal sensitive information. Devised by SquareX Labs, the attack can manipulate installed extensions and employ phishing tactics to capture user credentials. SquareX has disclosed the attack to Google, urging for protective measures against this serious security threat.
Affected: Google Chrome extensions
Keypoints :
- Malicious extensions can morph into legitimate extensions, tricking users into providing sensitive data.
- The attack uses the ‘chrome.management’ API to access a list of installed extensions or employs resource injection if direct access is unavailable.
- SquareX recommends that Google implement defenses to prevent such impersonation tactics, which are currently unaddressed.