AI Sidebar Spoofing: New Attack Hides Phishing in Fake Browser Extensions
Researchers at SquareX have published a comprehensive report on a newly discovered vulnerability known as AI Sidebar Spoofing—a novel class of attacks that leverages malicious browser extensions disguised as AI sidebar interfaces. This technique allows threat actors to deceive users into executing harmful commands, ranging from cryptocurrency theft to the installation of backdoors.
Previously, SquareX had demonstrated how fake prompts could trick AI-enabled browsers such as Comet into downloading malicious files or granting access to corporate applications. The new study reveals that attackers can now compromise the interaction layer itself—the AI sidebar through which users communicate with artificial intelligence.
The attack begins with the installation of an extension masquerading as a legitimate productivity tool—such as a password manager or an AI-powered assistant. In some cases, genuine extensions are hijacked or purchased by attackers; examples include Cyberhaven, Geco Colorpick, and Great Suspender. Once installed, the extension injects JavaScript code that creates an exact visual replica of the authentic AI sidebar within the browser.
As the researchers note, the attack requires only standard permissions—such as host and storage—identical to those used by trusted extensions like Grammarly or popular password managers. This makes the intrusion virtually invisible to conventional permission analysis tools.
When a user enters a query into the spoofed panel, believing they are interacting with the legitimate AI interface, the extension connects to a language model (in SquareX’s tests, Gemini) and generates a response laced with malicious commands.
SquareX highlights three illustrative scenarios:
— Cryptocurrency theft. The user requests instructions for withdrawing funds from Binance. The counterfeit panel substitutes a phishing link to a fraudulent site—binacee—which appears indistinguishable from the original. The credentials entered are immediately used by the attackers to access the victim’s genuine account.
— OAuth phishing. The victim asks for file-sharing services. The panel recommends a malicious website, which, upon signing in via Google, requests full access to Drive and Gmail, allowing the attackers to read emails and copy documents.
— Device compromise. The user seeks guidance on installing Homebrew. One of the steps is replaced with a reverse shell command, partially encoded in Base64. Once executed, the device connects to the attacker’s server, granting access to the system console for remote command execution and ransomware deployment.
SquareX warns that such attacks can be conducted not only through browser extensions, but also via websites embedding fake AI panels. However, the extension-based approach is far more dangerous, as it requires no special domain and can be triggered on any webpage.
The company reported the vulnerability to Perplexity under a responsible disclosure program, but received no response.
Moreover, just 48 hours before the publication, OpenAI unveiled its ChatGPT Atlas browser, in which researchers were able to reproduce the very same attacks.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
