Cybercriminals have devised a sophisticated new tactic that enables malicious browser extensions to masquerade as legitimate ones already installed on a user’s system. Experts at SquareX have reported that attackers create visually identical replicas of extension icons, HTML panels, and core workflows of targeted extensions while temporarily disabling the original versions, making the substitution nearly imperceptible to users.
This stealthy attack is designed to harvest login credentials, which can subsequently be exploited to hijack accounts and gain unauthorized access to sensitive information, including financial data. The vulnerability affects all Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, and Yandex Browser.
The attack method capitalizes on users’ tendency to pin extensions to the browser’s toolbar. A malicious extension, distributed through the Chrome Web Store or similar platforms, may initially appear as a legitimate utility. However, it discreetly scans web resources to detect installed target extensions, utilizing a technique known as “Web Resource Hitting.”
Once a targeted extension is identified, the malware springs into action: it replaces its own icon with an identical replica of the legitimate extension and temporarily disables the original via the chrome.management API. As a result, the authentic extension vanishes from the toolbar, avoiding suspicion from the user.
According to experts, this attack is particularly effective because it exploits the human tendency to rely on visual cues. Pinned browser extension icons serve as a visual confirmation of legitimacy, making the substitution virtually undetectable.
Previously, SquareX researchers uncovered another alarming hacking method—Browser Syncjacking—which allows attackers to seize control over a victim’s passwords, bookmarks, and browsing history through the browser’s built-in data synchronization mechanism.
Ultimately, even the most ingrained visual habits can become a security weakness. When trust is built on familiar icons and interfaces, cybercriminals gain a powerful tool for deception. Vigilance and attention to even the subtlest changes remain the only defense against this invisible threat.
