Your password manager is under attack, and this new threat makes it worse: How to defend yourself

Do you sometimes feel stuck in a Catch-22 regarding your long-term credential management strategy?

You are.

On the one hand, if the tech industry has its way — to abolish all passwords and replace them with passkeys — users will eventually have almost no choice but to rely on password managers for signing in to their favorite sites and apps. Yes, the days of committing user IDs and passwords to memory or cryptically scratching your passwords into an old day planner are numbered.

On the other hand, malicious actors are the lions at our gate. All the password management solution providers ZDNET spoke with acknowledge that they’re under constant attack by hackers trying to access the proverbial keys to the kingdom and the riches they protect. 

Also: 10 passkey survival tips: Prepare for your passwordless future now

“Password managers are high-value targets and face constant attacks across multiple surfaces, including cloud infrastructure, client devices, and browser extensions,” said NordPass PR manager Gintautas Degutis. “Attack vectors range from credential stuffing and phishing to malware-based exfiltration and supply chain risks.”

Googling the phrase “password manager hacked” yields a distressingly long list of incursions. Fortunately, in most of those cases, passwords and other sensitive information were sufficiently encrypted to limit the damage.

Earlier this year, Picus Security published research indicating that hackers are redoubling their efforts to break into password managers. According to a release from the firm, “25% of malware 1746779035 targets credentials in password stores — a 3X increase from 2023.” 

Picus Security co-founder Süleyman Özarslan noted that “threat actors are leveraging sophisticated extraction methods, including memory scraping, registry harvesting, and compromising local and cloud-based password stores, to obtain credentials that give attackers the keys to the kingdom.” Threat actors are leaving no stone unturned in hopes of breaking into your password manager. 

A new and terrifying threat

One of the most recent and terrifying threats to make headlines came from SquareX, a company selling solutions that focus on the real-time detection and mitigation of browser-based web attacks. SquareX spends a great deal of its time obsessing over the degree to which browser extension architectures represent a potential vector of attack for hackers. 

Also: I found a malicious Chrome extension on my system – here’s how and what I did next

Browser extensions are those small(ish) applications that many of us plug into Chrome, Firefox, Edge, and other browsers to enhance our web experiences. From one browser to the next, there’s an underlying architecture that serves as the enabling foundation for such browser extensions to run (in much the same way our smartphone and computer operating systems enable the apps we install on them to run). 

In the course of trying to discover certain browser extension vulnerabilities before malicious actors do, SquareX announced in February that it found a sneaky way for a malicious Chrome extension to impersonate 1Password’s password management extension. Although the announcement sounds like bad news for Chrome and 1Password users, it’s actually much worse. The discovery is relevant to all password managers on Chrome, and it’s relevant to all extensions on all popular browsers. 

SquareX didn’t single out Chrome or 1Password because it found them to be inherently more vulnerable than other browsers or password managers — or other extensions for that matter. “We picked Chrome as it’s the most used browser both within enterprise and in the B2C space,” said SquareX founder Vivek Ramachandran in an interview with ZDNET. 

Also: Hackers stole this engineer’s 1Password database. Could it happen to you?

Ramachandran emphasized that most extensions, regardless of the browsers they run on, have similar security issues. For example, Firefox and Chromium-based browsers such as Chrome and Edge have the same issues due primarily to how technologies like JavaScript and WebAssembly work. 

So, what exactly did SquareX discover? And what measures can you take to prevent your password manager and other extensions from being exploited?

Here’s the first thing to know about the exploit, which SquareX refers to as a “polymorphic extension”: 

How impostor extensions do their dirty work

It tricks users into working with an impostor extension.

A polymorphic extension is a browser extension that lures you to install it with one advertised benefit, but then morphs into a different extension that convincingly portrays itself as one of the legitimate extensions you’ve already installed (e.g., your password manager). From a social engineering perspective, it bears a strong resemblance to phishing and smishing. In one of two initial forms that the attack can take, it evades detection by temporarily disabling the legitimate extension without uninstalling it. 

Also: I clicked on four sneaky online scams on purpose – to show you how they work

On first blush, the idea that one browser extension could be so disruptive to another extension sounds like the type of software boundary violation any reasonable browser should block as a part of its security architecture. Take Chrome: When a browser extension is first added to the Chrome Web Store, the developer must declare a manifest of permissions that end-users are warned about before that extension can be installed. 

For example, according to Google’s list of permissions that developers can include in their manifests, if a developer declares that an extension needs access to Chrome’s notifications API, the text “Display notifications” will automatically be included in the preinstallation warning seen by users, as shown in the screenshot below:

According to Ramachandran, the list of permissions is too complicated for regular users to make an informed decision, thus increasing the likelihood that a threat actor might get approval for an all-seeing, all-knowing browser “superpower.” 

Several of the permissions that qualify as superpower permissions are ones that most Chrome extensions, including password managers, shouldn’t be asking for. One of those — the permission for Chrome’s chrome.management API (with Firefox, it’s the browser management API) — is the permission that affords one extension the right to manipulate other extensions. 

Also: How AI will transform cybersecurity in 2025 – and supercharge cybercrime

An extension could ask for this permission when it’s first installed, or during a subsequent update. Either way, when the developer manifest includes the chrome.management API, the user is presented with the text “Manage your apps, extensions, and themes” as shown in the screenshot above.

But there’s no red-flag warning that indicates you’re about to enable the extension’s developer with a dangerous superpower. 

“It might feel like getting permission for the chrome.management API is a tall order, and that an extension that asks for it might require some heavy vetting by Google,” Ramachandran told ZDNET. “But this is not the case. Developers can ask for this permission in the manifest when uploading their extensions to the Chrome Store. So, security in this case depends entirely on the user knowing that this is a problematic superpower permission.”

Once the developer of an extension has access to the chrome.management API, not only can they morph their own extension into something else, they can disable other ones and unpin them from the browser’s toolbar without detection by the user. In fact, access to the chrome.management API also gives hackers the ability to fully uninstall other extensions. 

Also: 5 browser extension rules to live by to keep your system safe

However, according to the chrome.management API documentation, if one extension uninstalls another extension, the user is notified with a pop-up dialog that can’t be overridden. Such a dialog would essentially tip off the user to the fact that something’s amiss. That’s one reason why, in the polymorphic extension attack, the malware extension stealthily falls short of completely uninstalling the legitimate extension it aims to temporarily take the place of.

Instead [as shown in the sequence of screenshots below], to complete the ruse, a polymorphic extension replaces the legitimate extension’s icon (where it was pinned in the browser’s toolbar) with a doppleganger that, if clicked, activates the polymorphic extension. The first screenshot shows the two extensions pinned to Chrome’s toolbar. Circled in blue is the icon for the legitimate 1Password extension. Circled in red is the icon for the malicious extension that the user downloaded and pinned under the pretense that it delivered some other useful value. 

Once the malicious extension detects that the user is about to log into a website (which only requires the ability to examine the contents of the current web page), it uses the chrome.management API to disable the legitimate extension and unpin its icon from Chrome’s toolbar, as shown below. 

Then, as shown below, the malicious extension changes its own icon to look like the one that belongs to 1Password.

By this point, the polymorphic extension will have morphed into an extension that looks and feels like the legitimate extension (reminiscent of how phishing websites impersonate legitimate sites). From there, the malicious extension prompts the unsuspecting user for the credentials to their 1Password account (remember, it could be any password manager) and phones home to the hacker with the newly exfiltrated information.

Then, to clean up after itself, it re-enables the legitimate extension, restores the pinned icons to their original state, and even completes the sign-in process with whatever website the user was authenticating with.  

In case the polymorphic extension is unable to garner the user’s permission for access to the chrome.management superpower, Ramachandran says there’s a contingency plan where it can just as easily pop up a browser window that looks and feels a lot like one of your legitimate extensions.

Also: How to protect yourself from phishing attacks in Chrome and Firefox

“All the attacker would have to do is inject code into the page, which creates a pop-up resembling the UI of the password manager extension,” said Ramhachandran. “It would take a sophisticated user to realize this is not being served by the real extension.”

Injecting code into the current web page is another behavior that, on first blush, sounds like a privilege no extension should have. But as it turns out, pretty much all extensions — especially password managers — need permission to read and write to the active browser tab in order to do what they do. 

At the moment a website is asking for a user ID and password, a password manager has to read the page to find the user ID and password fields, and then must autofill those fields with the proper credentials in order to complete the login process. When an extension needs these permissions — as LastPass and other password managers do — the preinstallation warning will note that the extension can “read and change all your data on all websites,” as shown in the partial screenshot below.

Is the polymorphic extension threat real or no big deal?

First, it’s important to realize that security companies like SquareX have to imagine and then animate certain attacks in order to drive demand for their solutions. If SquareX can demonstrate the plausibility of various attacks that haven’t happened yet and prove that its solutions can defend against those attacks, it shouldn’t be difficult to get some IT professionals to invest in its solutions. 

In this case, SquareX has imagined a scenario that, for individual users, is largely predicated on a combination of ill-advised mistakes. For example, the attack is only possible after a user is duped into installing malware — or maybe it should be called morphware.

Also: How AI agents help hackers steal your confidential data – and what to do about it

Despite efforts by Google to keep the Chrome Web Store free of malware, LastPass Cyber Threat Intelligence Analyst Stephanie Schneider told ZDNET that “a 2023 study found that extensions containing malware were available on the Chrome Web Store for an average of 380 days. In one case, an extension remained available from December 2013 until it was removed in June 2022.” However, Schneider added, “Despite these reported instances, Google stated in 2024 that less than 1% of all installs from the Chrome Web Store were found to include malware.” 

What are the implications for consumers versus businesses? 

When it comes to individual users, the more convincing version of the attack — the one that looks and feels like the legitimate extension — requires the user to give the imposter extension the equivalent of superuser privileges. While we cannot completely rule out Ramachandran’s contingency scenario involving a standard browser pop-up as an alternative vector for this attack, in our opinion, it is more likely to draw the user’s suspicion that something’s amiss. Either way, given the surprising extent to which end-users continue to be socially engineered by phishers and smishers, either scenario is plausible. 

For businesses and enterprises, the attack is predicated on one of two possible scenarios. In the first scenario, users are left to make their own decisions about what extensions are loaded onto their systems. In this case, they are putting the entire enterprise at risk. In the second scenario, someone in an IT role with the responsibility of managing the organization’s approved browser and extension configurations has to be asleep at the wheel. The entire point of centrally managing an organization’s systems is to make sure unauthorized and unvetted software doesn’t somehow find its way onto the corporate network. 

6 reasons why this threat is a big deal

The internet is full of false alarms about security vulnerabilities that are made to sound like they need your immediate attention when they don’t. But, this is a case where:

1. The transition from passwords to passkeys will result in most of us using a password manager, whether we want to or not.

2. Threat actors are hell bent on breaking into your password manager.

3. An overwhelming majority of password manager users will install their password manager’s browser extension.

4. Most end-users have weak moments when they click on otherwise suspicious links or download malicious software.

5. The choice of operating system (Windows versus Mac) is irrelevant. Browsers are like virtual machines to the extent that they include their own Javascript and WebAssembly execution platforms. 

6. The password manager solution providers that ZDNET spoke to all agree that, although the polymorphic extension attack presented by SquareX is currently a hypothetical attack (no known instances in the wild have been reported), it poses a legitimate threat to their browser extensions.

In other words, this is an attack — not necessarily a vulnerability — that merits additional attention and vigilance on behalf of end-users and businesses. As such, here’s our advice on how to best defend yourself.

How to defend yourself against a malicious extension

1. Only install extensions from the Chrome Web Store from trusted publishers

Browser extensions are essentially the downloadable EXEs (executable files) of the browser world. “Just like you would not download and run EXEs which are untrusted or from random sources, the same level of discretion needs to be applied to browser extensions,” said SquareX’s Ramachandran. “Only install extensions from the Chrome Web Store and make sure they are extensions from trusted publishers. You can find this out by looking at the developer email address domain.” 

Gintautas Degutis, PR manager for the NordPass password manager, suggested taking things a step further: “Googling a developer or the extension itself is actually a very safety-conscious idea.” 

Also: How Malwarebytes’ security tools can help companies stop online scams before it’s too late

Another good source of extension information is the Chrome Web Store’s comments section, said Ramachandran. “Extensions with a history of bad behavior generally are reported. Especially be careful of extensions which advertise access to professional versions of other third-party sites (e.g., AI extensions which advertise access to the latest professional edition of ChatGPT).”  

2. Learn why certain permissions are requested

Educate yourself on the types of permissions that might convey browser superpowers to an extension that doesn’t need them. LastPass’s Schneider said, “Unsurprisingly, suspicious extensions generally ask for more permissions than harmless ones. Only use extensions from reputable sources that explicitly state why certain high-level permissions are required.”

It’s impossible to draw a line in the sand between permissions that are universally innocuous and permissions that could pose a threat. For example, the “Read and change all your data on all websites” permission is required for a password manager extension to work, but not necessarily required for other extensions. We think reputable sources should explicitly state the reasons for every requested permission. After all, why not?

3. Look for typos

Study the descriptions of extensions carefully and look for typos before downloading them. Threat actors are notoriously bad spellers. In some cases, a keyword might be misspelled in order to evade machine detection. For example, “Before downloading some extension, make sure that the developer is actually “OpenAI” not “OqenAI,” advised Degutis. 

4. Use multifactor authentication

Leverage multifactor authentication, advises 1Password’s director of communications and social media, Romina Ederle. This advice, particularly when it comes to authenticating with your password manager, cannot be overstated.

Also: Why multi-factor authentication is absolutely essential in 2025

In SquareX’s hypothetical scenario, the malicious extension uses a dialog that looks and feels like 1Password’s extension to prompt the user for their 1Password user ID and password. However, if your password manager (or any other extension) can be configured to authenticate with a passkey (as it should be), there should be a way to avoid entering your password for your password manager into any extension (the password manager’s legitimate extension or that of a malicious polymorphic imposter’s).

Shown below is an example of how BitWarden’s Chrome extension for its namesake password manager gives users the option of a passkey-driven login that’s completed with the assistance of another device (e.g., a smartphone) that itself is logged into the user’s BitWarden account. If a malicious polymorphic extension presented a facsimile of this dialog and the user picked “Log in with device,” the entire workflow would come to a screeching halt because the threat actor has no way to move the user to the workflow’s next step. (At that point, the user should recognize they might be dealing with an illegitimate extension.) 

However, in terms of additional factors of authentication, users should be cautious about having one-time passcodes (OTPs) sent to an email inbox that’s open in one of their browser tabs. An extension with the common permission to “Read and change all your data on all websites” could theoretically intercept an OTP that appears on that tab.    

5. Review your installed extensions periodically

NordPass’ Gigantus also suggests periodic reviews of your installed extensions: “Check your installed extensions at chrome://extensions/ and remove any you don’t recognize or no longer use.” At the very least, review their permissions to see if they still align with your sense of the extension’s functionality and the permissions necessary to enable that functionality.

6. Study the behavior of installed extensions   

Better familiarize yourself with their user interfaces, which could help you to better recognize when an extension — or an impostor — is doing something unexpected.  

7. Opt in to your browser’s enhanced safe-browsing feature 

When standard safe-browsing is selected, Chrome “protects against sites, downloads, and extensions that are known to be dangerous.” Under standard protection, you may get a warning about one of your installed extensions if Google learns of its malicious nature some days, weeks, or months after you installed it. 

However, Chrome’s enhanced safe browsing, as shown in the partial screenshot below, “sends the URLs of sites you visit and a small sample of page content, downloads, extension activity, and system information” to Google’s AI-powered security services. It’s hard to know exactly what Google means by “extension activity.” (Google has not yet responded to ZDNET’s questions about polymorphic extensions.) 

Also: That weird CAPTCHA could be a malware trap – here’s how to protect yourself

But NordPass’s Degutis told ZDNET that “in this mode, Google AI is scanning websites and downloads (including extensions) against known and emerging threats.” Conceivably, now that Google is aware of the polymorphic extension threat, its security models have been trained to look for a combination of polymorphic behaviors, such as one extension momentarily disabling another extension while changing its own icons. 

Note: When enhanced safe-browsing is activated, Chrome is sending “more information about your activity to Google in real time to offer stronger, more customized protection,” according to a Google support page. “This information includes the URLs you visit and a small sample of page content, downloads, extension activity, and system information. Some security features are disabled in incognito to prevent revealing additional data to Google.” In other words, Google is unquestionably collecting more information about what you’re doing in Chrome when enhanced safe browsing is activated. But it’s not clear how that changes for an incognito session. Users and organizations must decide for themselves whether such privacy trade-offs are worth the enhanced protection.

What should organizations do?

Businesses and other enterprises should educate themselves and their users on the potential dangers of polymorphic extensions. If organizations aren’t centrally managing the configuration of all web browsers on all end-user systems, now is a good time to start. Ramachandran suggested converting “your browsers to managed browsers and ensure that only whitelisted extensions can be installed.”

Additionally, an IT manager can enforce several of the options mentioned above for individuals through the centralized browser management console.

Schneider told ZDNET: 

“Organizations should also consider threat modeling exercises that address the extensions they allow on corporate devices to have a comprehensive understanding of what it actually does (versus what it says it does) and the potential threats associated with extensions’ permissions if it were used for malicious purposes. I’m not saying these legitimate extensions would necessarily be used for those purposes. But, they should be evaluated from the perspective of ‘If this were a malicious extension, what would it be able to do, and what would the consequences to the business be?'”

Also: Why no small business is too small for hackers – and 8 security best practices for SMBs

Degutis suggested that organizations should “install endpoint protection or browser security tools that can detect malicious extensions.” 

SquareX’s Ramachandran was not shy about suggesting SquareX’s enterprise solutions that, among other things, can block the installation of extensions based on the permissions they require. 

What should browser makers like Google do?

When it comes to policing the Chrome Web Store, Google is in a tricky position. Unfortunately, Google cannot prevent all extensions from accessing certain superpower browser APIs. Whereas certain legitimate extensions need access to these so-called superpowers, those same powers should be of no use to other extensions. Meanwhile, ordinary users are often left with the impossible task of making a determination at the moment an extension is being installed.

Also: Best VPN services: How the fastest and most secure VPNs stack up

Throughout the developer documentation for Chrome, Google routinely advises developers to only require those permissions that are minimally needed for the core functionality of their extensions while giving users the choice of approving optional permissions in order to enable an extension’s additional capabilities. On a page that describes Chrome’s Permissions API, Google says, “The Permissions API allows developers to explain permission warnings and introduce new features gradually, which gives users a risk-free introduction to the extension.”

The general idea is to start extension users off with one set of permissions and gradually expose them to new features that might require additional permissions along the way. For that specific workflow, Google provides an example (shown below) of how an extension can ask for additional permissions. 

Although the example doesn’t show it (we think it should), this would have been the perfect opportunity for the sample extension to explain (as Google suggests) the purpose of the additional permission request (maybe with text that appears in the copious whitespace). When users click on a button like the one shown above, it triggers one of Chrome’s standard permissions dialogs, as shown in the example below. 

Apart from the actual permissions in the list, the dialog is nearly the same format as the dialog that users see when they install an extension in the first place. So, what’s wrong with this picture?

The messaging in the example above and others like it is too ambiguous. For example, it’s impossible to know if the extension will cease to function altogether if the user clicks “Deny.” Likewise, it’s not clear if clicking “Allow” will grant the requested permission on a temporary or permanent basis. After all, have we not been trained by Zoom and other conferencing products to grant access to our cameras and microphones for some conferences and not others? Judging by the existence of the “Remove()” method as part of Chrome’s Permissions API, there’s no reason a developer couldn’t request a permission temporarily and then remove it once the user no longer needs it. 

Also: A whopping 94% of leaked passwords are not unique – will you people ever learn?

But what’s really wrong with Google’s example workflow is that it’s purely optional. Instead, extension developers can ask for as many permissions as they want at the time that an extension gets installed. In that workflow, there is no opportunity that we know of for developers to modify Chrome’s standard dialogs to either offer a justification for each requested permission or to give users the option of disallowing optional permissions. 

We’re imagining something with the sort of fidelity offered by a cookie consent form like the one pictured below from the website for Ireland’s Grand Opera House. 

Some permissions could be tagged as necessary, others as optional, and users could toggle them on or off based on their understanding of the explanation and their expectations of the extension’s functionality. 

If and when Google responds to our requests for comment, we’ll update this story.

Stay ahead of security news with Tech Today, delivered to your inbox every morning.