Cyber security researchers have demonstrated a novel technology that allows a malicious web browser extensions to apply any established add-on.
Squarex said in a report published last week, “Polymorphic Extension target icons, HTML popup, a pixel perfect replica of the workflows and even temporarily deactivate the valid expansion, which makes the victims a great confidence that they are providing credentials to the real expansion.”
The severed credentials can then be abducted by the danger actors to kidnap online accounts and get unauthorized access to sensitive personal and financial information. The attack affects all chromium-based web browsers including Google Chrome, Microsoft Edge, Brave, Opera, and others.
The approach to the fact that banks stated that users usually pin the extension for the browser’s toolbar. In the scenario of a fictional attack, the danger actor can publish a polymorphic extension for the Chrome web store (or any extension marketplace) and can disguise it as a utility.
While the ad-on advertisement provides advertised functionality so that no doubt can be stimulated, it actively scanned for the presence of web resources and activates malicious features in the background that is related to specific target extensions using a technique called web resource Hitting.
Once a suitable goal expansion is identified, the attack goes to the next stage, which transfers into a replica of valid expansion. It is completed by changing the icon of evil extensions to match the goal and through the “Chrome.Management” API, by temporarily disabled by disabled, which is removed from the toolbar.
https://www.youtube.com/watch?v=i5Pifa3jhty
Squarex said, “Polymorphic extension attack is extremely powerful as it takes advantage of the human tendency to rely on visual signals as a confirmation.” “In this case, the extension icon on a pinned bar is used to inform users of devices with whom they are interacting.”
A month after the findings, the company also revealed another method of attack called browser synchzaking, making it possible to seize control of the victim’s device, which seems to have a simple browser through extension.
