Are you feeling stuck in a Catch-22 situation when it comes to your long-term credential management strategy? The tech industry is pushing to eliminate passwords in favor of passkeys, which would require users to rely on password managers. However, these solutions are constantly under attack by hackers trying to access sensitive information. Recent threats, such as polymorphic extensions, pose a serious risk to the security of password managers and other browser extensions. It’s important to stay informed and take necessary precautions to protect your data. One of the permissions that extensions can request is the permission for Chrome’s chrome.management API (with Firefox, it’s the browser management API). This permission allows an extension to manipulate other extensions.
Extensions could ask for this permission when they are first installed or during a subsequent update. However, there is no warning for users that enabling this permission grants the extension developer the ability to manipulate other extensions.
Once an extension developer has access to the chrome.management API, they can change their own extension, disable other extensions, unpin them from the browser’s toolbar, and even fully uninstall other extensions.
If one extension uninstalls another extension using the chrome.management API, the user will be notified with a pop-up dialog that cannot be overridden. This notification helps users detect suspicious behavior.
In a polymorphic extension attack, the malicious extension replaces the icon of a legitimate extension in the browser’s toolbar, tricking users into clicking on it. The malicious extension can then prompt users for credentials and send the information to hackers.
It is important for users to be cautious when granting permissions to extensions, as some extensions may abuse these permissions for malicious purposes. Additionally, users should be aware of phishing attacks and take steps to protect themselves while browsing. In one instance, an extension was available from December 2013 until it was removed in June 2022, according to WhataWin/Getty Images. However, Google stated in 2024 that less than 1% of all installs from the Chrome Web Store contained malware, as noted by Schneider.
For consumers versus businesses, the implications vary. Individual users are more susceptible to convincing attacks that require granting superuser privileges to imposter extensions, potentially jeopardizing their security. On the other hand, businesses face risks when users make decisions about loading extensions onto their systems independently, putting the entire enterprise in danger. Alternatively, if IT personnel neglect to manage approved browser and extension configurations, unauthorized software can compromise the corporate network.
The threat posed by malicious extensions is significant for several reasons. The shift from passwords to passkeys will likely lead to increased use of password managers, making them prime targets for threat actors. Additionally, most password manager users install browser extensions, leaving them vulnerable to attacks. Weak moments can lead end-users to click on suspicious links or download malicious software, regardless of their operating system. Consequently, the threat of polymorphic extension attacks, although currently theoretical, underscores the need for heightened vigilance.
To protect against malicious extensions, users should only install extensions from trusted publishers in the Chrome Web Store. Understanding the permissions requested by extensions and looking for typos in descriptions can help identify potential threats. Employing multifactor authentication, particularly with password managers, is crucial to safeguarding sensitive information. By following these guidelines, users and businesses can mitigate the risks associated with malicious extensions. WhataWin/Getty Images (At this point, the user should be aware that they may be dealing with an illegitimate extension.) Additionally, users should exercise caution when receiving one-time passcodes (OTPs) in an email inbox open in a browser tab, as an extension with permissions to “Read and change all your data on all websites” could potentially intercept an OTP displayed on that tab.
It is recommended to periodically review installed extensions, as suggested by NordPass’ Degutis. Users can check their installed extensions at chrome://extensions/ and remove any unfamiliar or unused ones. It is also advised to review the permissions of extensions to ensure they align with the intended functionality.
Familiarizing oneself with the behavior of installed extensions can help in recognizing any unexpected actions by an extension or impostor. Opting in to the browser’s enhanced safe-browsing feature can provide additional protection against dangerous sites, downloads, and extensions.
For organizations, educating users about the risks of polymorphic extensions and implementing centralized browser management can enhance security. Endpoint protection or browser security tools can be installed to detect malicious extensions.
Browser makers like Google should consider providing clearer guidelines for developers on permissions and gradually introducing new features that require additional permissions to users. Developers are encouraged to only request permissions essential for the core functionality of their extensions to minimize security risks. Ketika pengguna mengklik tombol seperti yang ditunjukkan di atas, itu memicu salah satu dialog izin standar Chrome, seperti yang ditunjukkan dalam contoh di bawah ini. Screenshot oleh David Berlind/ZDNET. Pesan dalam contoh di atas dan yang lainnya seperti itu terlalu ambigu. Misalnya, tidak mungkin untuk mengetahui apakah ekstensi akan berhenti berfungsi sama sekali jika pengguna mengklik “Tolak.” Juga, tidak jelas apakah dengan mengklik “Izinkan” akan memberikan izin yang diminta secara sementara atau permanen. Setelah semua, apakah kita tidak dilatih oleh Zoom dan produk konferensi lainnya untuk memberikan akses ke kamera dan mikrofon kita untuk beberapa konferensi dan yang lainnya? Mengingat adanya metode “Hapus()” sebagai bagian dari Permissions API Chrome, tidak ada alasan bagi pengembang untuk meminta izin sementara dan kemudian menghapusnya begitu pengguna tidak membutuhkannya lagi. Juga: 94% dari kata sandi yang bocor tidak unik – akankah kalian pernah belajar? Tetapi yang sebenarnya salah dengan alur kerja contoh Google adalah itu sepenuhnya opsional. Sebagai gantinya, pengembang ekstensi dapat meminta sebanyak mungkin izin yang mereka inginkan pada saat ekstensi diinstal. Dalam alur kerja itu, tidak ada kesempatan yang kami ketahui bagi pengembang untuk memodifikasi dialog standar Chrome untuk menawarkan alasan untuk setiap izin yang diminta atau memberi pengguna opsi untuk tidak mengizinkan izin opsional. Kami membayangkan sesuatu dengan jenis kesetiaan yang ditawarkan oleh formulir persetujuan cookie seperti yang terlihat di bawah ini dari situs web untuk Grand Opera House Irlandia. Beberapa izin bisa ditandai sebagai penting, yang lainnya sebagai opsional, dan pengguna bisa mengaktifkan atau menonaktifkannya berdasarkan pemahaman mereka tentang penjelasan dan harapan mereka terhadap fungsionalitas ekstensi. Jika dan saat Google merespons permintaan komentar kami, kami akan memperbarui cerita ini. Tetap terdepan dalam berita keamanan dengan Tech Today, dikirim ke inbox Anda setiap pagi.