Malicious Chrome Extensions Are Now Your Password Manager — And They’re Keeping Your Logins (For Themselves)

16 Mar

Why Bother Phishing When You Can Just Pretend to Be the App?

Phishing is so 2023. Why would cybercriminals waste time sending fake emails when they can masquerade as the very tool designed to keep you safe? Enter the latest nightmare uncovered by SquareX Labs: malicious Chrome extensions that detect your password manager, spoof its interface, and then directly steal your credentials.

That’s right. They become the thing you trust most — and you happily hand them the keys to your entire online life. If this sounds like something Google should have fixed years ago, congratulations on having common sense, which is more than we can say for the Chrome Web Store review process.

Here’s How It Works (and Why It’s Brilliantly Evil)

You install a seemingly harmless extension. Maybe it promises to help with coupons, shopping, or some other nonsense nobody needs.
The extension scans your browser to detect which password manager you use.
It impersonates the manager’s pop-up, right down to logos and design.
You, thinking this is normal, re-enter your master password.
That master password gets sent straight to the attackers.
They now own every single login you’ve saved — email, banking, work, all of it.

This is like a burglar dressing up as your alarm technician, knocking on your door, and you letting them in with your whole security code written on your forehead.

The Real WTF Moment – Google’s Useless Extension Review Process

This is not the first time Chrome extensions have been weaponised. We’ve had:

Extensions that inject ads into every page you visit.
Extensions that mine crypto using your CPU.
Extensions that redirect your search queries to dodgy sites.

And now, we have extensions that straight-up pretend to be your password manager — the one tool you trust above all others.

Despite years of warnings, Google still lets nearly anyone publish an extension with almost no meaningful scrutiny. Security researchers have screamed about this for over a decade. Google’s response? A shrug, a half-hearted takedown request, and no systemic fix.

Why Password Managers are Prime Targets

Password managers sit at the heart of your digital identity. They hold:

✅ Your email logins
✅ Your banking and investment accounts
✅ Access to your business tools (M365, Google Workspace, CRM systems)
✅ Two-factor backup codes (if you’re unlucky enough to store them there)

Crack the manager and you crack everything. That’s why attackers don’t even need to target your actual accounts anymore — they just need to sit in your browser, wait for you to open your vault, and grab everything in one go.

Users are Part of the Problem

Let’s be honest — most users treat extensions like free sweets at a petrol station. If it looks vaguely useful, they install first, think later. There’s no habit of checking who made the extension, what permissions it wants, or whether it’s even necessary.

How many people reading this have dozens of extensions installed, most of which they haven’t used in months? If you treat your browser like a digital junk drawer, don’t be surprised when something malicious sneaks in.

What You Should Do Right Now

✅ Audit Your Extensions

How many do you actually need?
Who made them?
What permissions do they request?

✅ Lock Down Your Password Manager

Enable biometric login wherever possible.
Turn on hardware security key support if your manager allows it.
Use a password manager that doesn’t rely solely on browser integration.

✅ Train Your Team (And Yourself)

Teach people to spot dodgy extensions.
Encourage minimalist browsing — if you don’t need an extension, ditch it.

✅ Demand Better from Google

Users shouldn’t have to be security experts. Google should radically improve its extension review process, including automated malware scans and real developer verification.

This Isn’t Just a Chrome Problem (But Chrome is the Worst Offender)

Other browsers have extension stores too — Firefox, Edge, even Safari. But Chrome’s dominance (and its historically lax policing) makes it the go-to playground for extension-based attacks. If you default to Chrome because “it just works,” maybe it’s time to rethink that.

Clean Out Your Digital Junk Drawer

Go look at your extensions right now. If you can’t immediately explain why each one is installed, delete it. Then, audit your password manager settings, train your team, and start treating browser extensions like potential malware — because some of them already are.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com