Polymorphic Extensions: The Sneaky Extension That Can Impersonate Any Browser Extension

Disclosed by SquareX, polymorphic extensions can mimic any other browser extension, perfectly replicating their icons and popup interfaces. Victims, believing they are interacting with the real extension, are tricked into entering their password manager or crypto wallet credentials. With additional permissions, these malicious extensions can even disable the legitimate one entirely.

Download our Browser Security Extension Guide

Want to stop similar extension-based attacks? Learn the best practices for defending your enterprise against malicious extensions in our guide.

looks good!
please enter your first name.
looks good!
please enter your company name.
looks good!
please provide a valid email address.
Looks good!
Please select a valid option
Looks good!
Please select a valid option

* these fields are required.

How It Works

Malicious polymorphic extensions perfectly mimic legitimate ones—duplicating icons, popups, and workflows—while temporarily disabling genuine extensions, deceiving users into submitting credentials to attackers. Here's an attack scenario involving password manager extensions:

Phase 1: Attacker Prep & Social Engineering

Attackers deploy sophisticated social engineering tactics across platforms to manipulate victims into downloading and pinning a polymorphic extension, typically masquerading as a legitimate tool.
Social Engineering
Identifying Target Extension

Phase 2: Identifying the Target Extension

Once installed, the malicious extension identifies its target to impersonate via various methods such as the chrome.management API or web resource hitting.

Phase 3: Impersonating the Target Extension

Once the target extension is locked in, the polymorphic extension will silently morph into a perfect replica of the target extension, while disabling it. Any credentials entered into the morphed replica are sent to the attacker's server.
Impersonating Extension
Impact

Phase 4: Impact

After obtaining the victim's credentials and secret key, attackers can access the entire password manager vault. This gives them entry to all the victim's SaaS applications, allowing them to steal sensitive data and impersonate the victim in phishing campaigns targeting their contacts.

Watch the Attack Demonstration

"No bug to patch"

Polymorphic extensions exploit inherent features within Chrome to perform malicious activity. The attack is facilitated by:

Chrome's flawed extension design

Polymorphic extensions can exist because attackers can change icon & HTML to mimic other extensions at runtime without users being notified.

With polymorphic extensions, it's clear that permission-based policies and static code analysis are no longer sufficient to defend against malicious extensions. Instead, only a browser-native security tool that dynamically analyzes extension behaviour at runtime can stop such attacks.

User Trust In Visual Cues

Users rely on visual cues such as icons to identify the what they interact with, and mostly interact with pinned extensions. Attackers take advantage of this implicit trust in visual cues – polymorphic extensions don't raise victims' suspicion until it's too late.

The Solution: Browser Detection and Response

Given that these extensions operate fully in the browser and cannot be identified by permissions or involved sites, it can only be tackled with a browser-native solution that understands the runtime behaviour of each extension. SquareX's Browser Detection and Response solution comes with a proprietary extension analysis engine with several main components:

  • Highly Granular Extension-based Policies
  • Advanced Extension Static Analysis
  • Dynamic Analysis
  • Browser Extension Policy Library
  • Extension Risk Scores
  • Shadow SaaS & OAuth Access Control

Click below to request a pilot, or contact us at founder@sqrxdevops.com to learn more.