Polymorphic browser extensions could target credentials, report finds

Threat actors could compromise credentials through a novel attack technique involving polymorphic extensions spoofing and disabling already installed website add-ons in Chromium-based web browsers, reports The Hacker News.

Installation of polymorphic extensions masked as utilities in extension markets triggers the scanning of web resources linked to targeted extensions before proceeding with its transformation into a copy of the legitimate extension, according to a report from SquareX.

Aside from replacing its icon, such an extension also works to deactivate and remove the legitimate one from the browser's toolbar before working to obtain victims' credentials that could be leveraged for further compromise.

"The polymorphic extension attack is extremely powerful as it exploits the human tendency to rely on visual cues as a confirmation. In this case, the extension icons on a pinned bar are used to inform users of the tools they are interacting with," said SquareX researchers.

Malicious actors were also recently reported by SquareX to have leveraged a trojanized Chrome extension to enable device takeovers as part of a new Browser Syncjacking attack.