Malicious Chrome extensions can spoof password managers in new attack

A newly devised "polymorphic" attack allows malicious Chrome extensions to morph into browser extensions, including password managers, crypto wallets, and banking apps, to steal sensitive information. The attack was devised by SquareX Labs, which warns of its practicality and feasibility on the latest version of Chrome. The researchers have responsibly disclosed the attack to Google. Shape-shifting Chrome extensions The attack begins with the submission of the malicious polymorphic extension on Chrome's Web Store. SquareX uses an AI marketing tool as an example, which offers the promised functionality, tricking victims into installing and pinning the extension on their browser. To get a list of other installed extension, the malicious extension abuses the the 'chrome.management' API, which it was given access to during installation. If the malicious extension doesn't have this permission, SquareX says there's a second, stealthier way to achieve the same, involving resource inject ... Read full article.