New Chrome Extension Attack Puts Passwords at Risk

On ​March 7, 2025 – A newly discovered security threat to Google Chrome users raises alarms in the cybersecurity ​community. CarréX ​Laboratory researchers have identified a sophisticated attack method that allows Chrome’s malicious extensions to be disguised as legitimate, including password administrators, banking applications, and cryptographic wallets. This “polymorphic” attack explores weaknesses in the ​Chrome ​extension system, posing a significant risk to millions ​of users.

How does the attack work?

The attack begins with the presentation of an apparently benign extension to ​the Chrome Web Store. Often disguised as an AI ​marketing tool or productivity application, the extension works like advertised users, in a false sense of security. However, once installed and connected ​to the ​browser, scan quietly for other extensions installed.

With chrome. Managing API or a silent resource ​injection ​technique, the malicious extension identifies which ​legitimate extensions are present in the victim’s browser. ​This data is ​sent to a server ​controlled by an attacker, where a command ​is issued to turn the rogue extension ​into a clone of one of the detected applications.

According to SquareX, this technique is particularly effective ​against ​popular password managers like 1Password. Once ​a directed extension is found, the malicious extension disables the legitimate one, adopts its name and icon, and generates a false login notice that mimics the real thing. Unsuspected users, believing they are authenizing again, enter their identifiers, which are then stolen by attackers.

Why is this attack so ​dangerous?

This method of attack is alarming because it takes advantage of users’ confidence in their installed extensions. Unlike traditional phishing attempts based on fake websites, this technique is perfectly integrated into the user’s browsing experience, making detection incredibly difficult.

The SquareX survey shows ​how these polymorphic extensions can ​steal passwords, bank information ​and cryptomoneda wallet identifiers. ​”Imagine your reliable AI transformation tool in your password manager, then your ​cryptographic ​wallet, and finally your ​bank application, without your knowledge,” the researchers explained.

Completing the risk is the fact that many popular extensions depend ​on the API ‘chrome.management’, which Google currently ​classifies as “medium risk”. This API is widely used by ad blockers, page styles and other legitimate ​extensions, making it difficult to restrict without affecting ​functionality.

Demonstration of the attack in the real world

To illustrate the effectiveness of this attack, SquareX performed a demonstration in which its vogue without imitation extension 1Password. In the test, once a user tried to ​connect to a ​website, the malicious extension ​triggered ​a false impulse “Session Expired.” This deception led the ​user to reenter his identifiers in a phishing form ​that ​seemed identical to the legitimate connection screen of 1Password.

After entering the connection data, ​the extension turned ​perfectly to its original appearance, restoring the real ​1Password extension to avoid suspicions. This level of stealth ensures victims are unaware that their sensitive information has been compromised.

What can users do to protect them?

Given the seriousness of this attack, ​cybersecurity experts recommend several precautions:

• Be ​cautious with new extensions: Only ​install extensions from well-known developers with a history of reputable software.
• Review permissions carefully: If an extension requests access to ‘chrome.management’ or other sensitive ​APIs, reconsider installing it.
• Monitor ​your extensions: Regularly review and audit ​the extensions installed on your browser. Remove any that you no longer use.
• Enable browser security features: Chrome’s built-in security settings can help ​detect and block suspicious activity.
• Use multi-factor authentication (MFA): Even if your password is stolen, MFA can prevent unauthorized ​access to your accounts.

Place X ​also suggests that ​Google implement stricter security measures, such as blocking sudden expansion changes or ​informing users when an extension significantly changes their appearance ​or functionality.

Google’s response and persistent security issues

At the time ​of writing, Google has not yet launched an official response to ​this new attack vector. However, as SquareX revealed the problem responsibly, it ​is expected that the Chrome security team will ​investigate possible countermeasures.

These are not the first ​malicious extensions of Chrome were exposed. Recently, Google ​has removed 16 high-risk extensions from the Chrome Web Store after they were found injecting harmful scripts, involving in advertising ​fraud, and ​stealing ​user data. These incidents highlight the current security challenges associated with browser extensions.

Cybersecurity experts warn that as attackers become more sophisticated, users must remain vigilant. Browser extensions, considered harmless productivity tools, are increasingly being used as attack vectors. “Millions of people depend on browser-based password ​administrators and cryptometric wallets,” said Vivek Ramachandran of SquareX. “Ensuring your ​safety must be a ​top priority. »

For now, Chrome users are encouraged to exercise caution when installing extensions and remain informed about emerging threats. As browser security evolves, ​users should also be made aware of the ​risks posed by seemingly harmless supplements.