Polymorphic / Shapeshifting Extensions

Author: Dakshitaa Babu

Listen

0:00

/218.409796

1×

Most people don’t think twice before logging into their password manager extension. That might be a problem—because a new breed of malicious extensions, called polymorphic browser extensions, is turning that trust into a trap. These ‘e-chameleons’ disguise themselves as trusted extensions you’ve installed—be it your password manager or crypto wallet—with alarming precision.

What are polymorphic extensions?

Polymorphic browser extensions are a new class of malicious extensions that can impersonate any other extension installed on a victim’s browser. They can morph their UI, icon, and even display text to mirror legitimate extensions, making them incredibly convincing.

Unlike traditional malware, polymorphic extensions don’t go in guns blazing. They start by doing exactly what they promise—providing a harmless, useful function—while quietly scanning your browser for high-value targets. Once they identify something like your password manager, they strike. The extension transforms its appearance to perfectly mimic the trusted one, down to the icon, name, and popup UI.

To make it worse, the malicious extension can temporarily disable the legitimate one, removing it from your toolbar to avoid detection. When you click on what you think is your password manager, you’re actually interacting with the imposter—possibly handing over your master password or crypto credentials directly to attackers.

Key traits of polymorphic extensions:

1. Disguise: Initially pose as harmless utilities, performing advertised functionality to build trust.
2. Scanning: Use web resource probing to detect other installed extensions.
3. Impersonation: Morph into the exact look and feel of a targeted extension.
4. Disabling: Temporarily hide the legitimate extension from the browser toolbar.
5. Credential theft: Trick users into entering sensitive data like master passwords or wallet keys.

This threat spans all major Chromium-based browsers—Chrome, Edge, Brave, and Opera. What’s especially dangerous is how well these extensions evade current security tools:

• They request only medium-risk permissions, evading permission-based filters
• Static analysis doesn’t catch them, since the malicious behavior is dynamic
• Security solutions typically lack insight into browser extension behavior
• The entire attack runs inside the browser, where traditional endpoint tools have no visibility

Detection is so difficult because polymorphic extensions aren’t static. They adapt based on the extensions you have and how your browser is configured. The same malicious extension might behave and appear completely differently across users. And for regular users, there’s no foolproof way to tell whether the extension you’re using is the real deal or a well-crafted fake.

So, what now?

The security community has a major problem on its hands. There’s no reliable framework today for measuring the true risk of browser extensions. The only deterministic method is a strict whitelist approach—paired with a browser detection and response solution that performs dynamic analysis on extensions.

The next time you enter your master password, ask yourself:

Are you really sure who’s asking for it?

Dakshitaa Babu is a security researcher and product evangelist at SquareX, where she leads the security research team. A self-taught cybersecurity researcher mentored by offensive security veteran, Vivek Ramachandran, she specializes in web attacks - malicious websites, files, scripts, and extensions capable of bypassing traditional security solutions. She is currently leading the Year-of-browser-bugs project. Dakshitaa has contributed to bleeding-edge browser security research presented at BSides SF Adversary Village, Recon Village, and the DEF CON main stage. Her work on email security bypasses, breaking Secure Web Gateways, MV3 extension vulnerabilities and Browser Syncjacking have been covered by leading media outlets, including Forbes Exclusive, TechRadar, Mashable, The Register, Bleeping Computer, and CyberNews.

Collaborator