Researchers at SquareX Labs have discovered a vulnerability in the latest version of Chrome. By exploiting this flaw, malicious individuals can carry out a so-called "polymorphic" attack. In short, they can use Chrome extensions that will transform themselves and come to usurp the identity of another extension installed on the browser, such as password managers. The researchers explain that they have "found a way for malicious extensions to silently spoof any extension installed on the victim's browser."
First, a seemingly harmless extension is submitted to the Chrome Web Store, Google's extension store. Once installed on the browser by the user, the extension will exploit the API that allows Chrome extensions tomanage other extensions, which it had access to during its installation. This contains the list of extensions installed by Chrome, although "direct monitoring of other extensions is prohibited by the Chrome extension subsystem," the report states.
If this tactic doesn't work, attackers can also "detect the presence of unique web resources associated with specific known extensions." For example, they will detect the PNG file containing the 1Password logo, which "likely means that the password manager is installed" on Chrome.
Impersonating your extensions
With the list in hand, attackers will choose the identity of an extension that contains sensitive data. For their experiments, researchers at SquareX Labs opted for a password manager, 1Password. The operation is obviously aimed at seizing all the user's passwords. Still exploiting the Chrome API dedicated to extensions, they will disable the 1Password extension present on the browser. At the same time, the malicious extension will metamorphose to take on the appearance of the targeted extension. The icon will become that of 1Password. It is a "perfect replica of the target's icon down to the pixel".
The pirate extension will then display a pop-up window on the victim's computer, indicating that the 1Password account has been disconnected. Convinced that they are dealing with the official extension, the target will enter their credentials into the interface. The identification information, such as the username and password, are then transmitted to the attackers. With this information, they can log into the victim's 1Password account and siphon off all their passwords. Once the theft has been carried out, the extension covers its tracks. It returns to its original appearance. In addition, the 1Password extension is reactivated. The Internet user does not notice anything.
Google has been warned, but has not yet acted
SquareX Labs researchers have warned Google of Chrome's vulnerability to polymorphic attacks. In particular, they recommend preventing extensions from changing their icon or accessing the appearance of other extensions. At the very least, Google should immediately notify the user when these changes occur. The Mountain View giant has not yet taken adequate measures to block cyberattacks of this type.
However, operations of this type can have disastrous consequences for Chrome users. Extensions can steal passwords, banking details or private keys to access cryptocurrency wallets.
Source: SquareX Labs
0 Comments