Security Bloggers Network Social Engineering

Home » Promo » Cybersecurity » Polymorphic Extensions: The Sneaky Extension That Can Impersonate Any Browser Extension

Polymorphic Extensions: The Sneaky Extension That Can Impersonate Any Browser Extension

by SquareX on February 28, 2025

Imagine that your AI transcriber tool shapeshifts into your password manager, then your crypto wallet and finally into your banking app — all without your knowledge. This is exactly what polymorphic extensions can do. SquareX’s research team discovered a way for malicious extensions to silently impersonate any extension installed on the victim’s browser. The polymorphic extensions create a pixel perfect replica of the target’s icon, HTML popup, workflows and even temporarily disables the legitimate extension, making it extremely convincing for victims to believe that they are providing credentials to the real extension. These credentials can then be used by attackers to access all the sensitive information, credentials and financial assets stored in the victim’s account.

Using password managers as an example, this blog will methodologically walk through how attackers would use a polymorphic extension to gain full access to the victim’s password vault. However, it is important to note that the target here is irrelevant — any extension that acts as the gateway for valuable resources to attackers can be as easily targeted by polymorphic extensions. While this technical blog illustrates the attack flow with Chrome, all Chromium based browsers, including Edge, are vulnerable to this attack.

<a href="https://medium.com/media/7d390bbaa1a2cdd6b6f0dc6394fd98e8/href">https://medium.com/media/7d390bbaa1a2cdd6b6f0dc6394fd98e8/href</a>

Phase 1: Attacker Prep & Social Engineering

This attack leverages the fact that the most common way to interact with browser extensions is through the pinned tab. Thus, the first step of the extension is to persuade the victim to download and pin the polymorphic extension, likely disguised as another tool.

1. Attackers creates and publishes the polymorphic extension on Chrome Store, disguised as an AI marketing tool.

2. Through various social engineering tactics (e.g. social media), the victim discovers and installs the extension from Chrome Store.

3. During the installation process, a popup appears to prompt the user to pin the extension for a better experience.

4. The extension functions as promised, providing AI marketing capabilities to the victim to stay under the radar.

The attacker also creates a list of high value target extensions, typically those that store valuable information or assets, and completely studies its look and feel, behaviour and workflows to create a convincing impersonation in phase 3.

Phase 2: Identifying the Target Extension

The next step of the attack is to identify which extension to impersonate. To do this, the attacker needs to know which extensions are already installed in the victim’s browser. While direct monitoring of other extensions is banned by the Chrome extension subsystem, there are other ways that this can happen. The first way is to use the chrome.management API, an API used by many admin tools to manage installed applications, including browser extensions.

The second, more stealthy way, is to use a technique called web resource hitting to identify the presence of unique web resources associated with known target extensions. For example, detecting a PNG file containing 1Password’s logo likely means that the password manager is installed in the victim’s browser. This systematic approach is used by websites such as LinkedIn to catch the presence of web scraping and automation tools that violate privacy rules within its community. Similarly, the malicious extension can inject a script into any webpage to check for specific installed extensions to mimic. Typically, attackers will prey on extensions that contain valuable information, making tools like password managers and crypto wallets prime targets.

The steps below describes the latter approach:

5. The malicious extension injects a script into any open tab in the victim’s browser, which instructs the webpage to check for the presence of web resources that correlate to specific target extensions, in this case 1Password.

Note: The script can also check for multiple extensions at once, creating a list of available targets from which the attacker will choose to target.

6. The results from this web resource hitting exercise is sent back to the attacker’s server. If a target is identified, the attacker will proceed to phase 3. If not, the polymorphic extension will remain dormant, periodically injecting the same script until a suitable target gets installed.

Phase 3: Impersonating the Target Extension

Now that there is a target extension, the polymorphic extension will morph into a perfect replica of the target at the right time. Continuing with 1Password as an example:

7. The victim lands on the login page of a SaaS app (e.g. Salesforce) and clicks on the login form.

8. This triggers the polymorphic extension to:

Temporarily disable 1Password, removing it from the pinned tab
Impersonate 1Password, most importantly its icon on the pinned tab

9. A HTML popup appears that says the victim is logged out of 1Password and prompts the victim to re-login into 1Password through the extension.

10. The victim clicks on the fake extension’s icon, opening up a pixel perfect replica of 1Password’s login page.

11. Unknowingly, the victim enters their username, password and secret key, which is sent to the attacker’s server.

12. Once the credentials are submitted, the polymorphic extension shifts back to its original appearance and re-enables 1Password.

13. The real 1Password autofills the victim’s Salesforce credentials, allowing them to log in without any suspicion that the sequence has been tampered with.

Phase 4: Impact

Now that the attacker has the victim’s 1Password credentials, including the secret key, they have full access to the kingdom. They can use all the password stored in the password manager vault to access any of the victim’s SaaS app account to exfiltrate data or even impersonate the victim to propagate phishing campaigns to the victim’s contacts. Other potential damages that polymorphic extension attacks can cause include:

Unauthorized transfer of cryptocurrencies using crypto wallets
Unauthorized transactions using banking apps
Unauthorized access to monitor, write and send confidential documents/ emails with productivity tools (e.g. grammar checkers, automation tools)
Unauthorized access to read and modify code base via developer tools

The polymorphic extension attack is extremely powerful as it exploits the human tendency to rely on visual cues as a confirmation. In this case, the extension icons on a pinned bar are used to inform users of the tools they are interacting with. Even if the user did navigate to the extension management dashboard, there is no easy way to correlate the extensions listed there with the pinned icons. Furthermore, based on Chrome’s permission classification system, all the APIs used in this attack — namely activeTab, scripting and chrome.management are classified as medium risk. In fact, the very same permissions are commonly used by popular extensions such as page stylers, ad blockers and even password managers themselves. This desensitizes both the victim and any reviewing security team from approving such permissions, and may not come across unusual for Chrome Store when performing its audits.

Recommendations

For Chrome

Unfortunately, given that the attack exploits a legitimate functionality in Chrome, this attack cannot be solved by patching the browser. We have, however, written to Chrome for responsible disclosure. We also recommended Chrome to ban abrupt extension icon and HTML changes, or implement user notifications in any such event to avoid impersonation attacks from happening.

For Users & Enterprises

Polymorphic extensions are the perfect cautionary tale to illustrate that permissions based policies and static code analysis are no longer sufficient to defend against malicious extensions. Browser extensions can easily masquerade as tools with legitimate functionality, only to display malicious behavior at runtime, often long after the extension was installed. Thus, it is critical for enterprises to have the right browser-native security tools to defend against these advanced browser extension attacks through dynamic analysis of each extension’s behaviour at runtime, including highlighting any suspicious polymorphic activities.

The Solution: Browser Detection and Response

Given that these extensions operate fully in the browser and cannot be identified by permissions or involved sites, it can only be tackled with a browser-native solution that understands the runtime behaviour of each extension. SquareX’s Browser Detection and Response solution comes with a proprietary extension analysis engine with several main components.

Highly Granular Extension-based Policies

As seen, permissions-based policies alone are too broad to defend against malicious extensions. SquareX’s policy engine includes parameters across over 25 dimensions including permissions, version, author and source. SquareX can also track all extensions and elements listed on the Chrome Store, including user reviews, publisher and number of downloads. For example, companies may choose to block extensions below a certain threshold of downloads or positive reviews. Events like publisher and code changes can also be used to trigger detection workflows, prompting immediate security assessments when suspicious changes are detected.

Advanced Extension Static Analysis

SquareX’s extension analysis engine not only detects malicious code, but also uses advanced AI and machine learning techniques to identify malicious intent. This is possible through training with SquareX’s proprietary browser extension code database, which includes sneaky malicious extensions that bypass existing static code analyzers.

Dynamic Analysis

In addition to static code analysis, SquareX developed an industry-first dynamic analyzer that executes extensions in a controlled environment to observe their actual runtime behavior. This allows for an extra layer of protection through real-time monitoring of extension activities, network communications, and resource usage, enabling the detection of malicious behaviors that might not be apparent through static analysis alone.

Browser Extension Policy Library

For security teams that are relatively new at managing extensions, SquareX’s policy library offers hundreds of policies defending against multiple attack vectors, including extensions. These policies were built based on best practices observed across our customers, and are continually updated to reflect emerging threats in the browser extension landscape.

Extension Risk Scores

Based on multiple static and dynamic tests, SquareX developed a sophisticated risk scoring system. The system incorporates real-time behaviour data, public reviews, historical performance, publisher reputation and aggregated security research. This creates a centralized threat feed for browser extensions that security teams can use to protect their users against existing and zero day extension-based attacks.

Shadow SaaS & OAuth Access Control

SquareX can also enable enterprises to have full visibility of the applications employees are using, including shadow SaaS and extensions accessed through both personal and work identities. For instance, SquareX can block users from granting any OAuth permissions to unauthorized enterprise applications.