- Hackers target Chrome browser extensions
- 16 extensions being compromised
- Exposed over 600,000 users to data exposure and credential theft
- The attack targeted publishers of browser extensions on the Chrome Web Store via a phishing campaign
Hackers used their access permissions to insert malicious code into legitimate extensions in order to steal cookies and user access tokens.
The first company to fall victim to the campaign was cybersecurity firm Cyberhaven, one of whose employees was targeted by a phishing attack on December 24, allowing the threat actors to publish a malicious version of the extension.
On December 27, Cyberhaven disclosed that a threat actor compromised its browser extension and injected malicious code to communicate with an external command-and-control (C&C) server located on the domain cyberhavenext[.]pro, download additional configuration files, and exfiltrate user data.
The phishing email, which purported to come from Google Chrome Web Store Developer Support, sought to induce a false sense of urgency by claiming that their extension was at imminent risk of removal from the extension store citing a violation of Developer Program Policies.
It also urged the recipient to click on a link to accept the policies, following which they were redirected to a page for granting permissions to a malicious OAuth application named “Privacy Policy Extension.”
“The attacker gained requisite permissions via the malicious application (‘Privacy Policy Extension’) and uploaded a malicious Chrome extension to the Chrome Web Store,” Cyberhaven said. “After the customary Chrome Web Store Security review process, the malicious extension was approved for publication.”
“Browser extensions are the soft underbelly of web security,” says Or Eshed, CEO of LayerX Security, which specializes in browser extension security. “Although we tend to think of browser extensions as harmless, in practice, they are frequently granted extensive permissions to sensitive user information such as cookies, access tokens, identity information, and more.
“Many organizations don’t even know what extensions they have installed on their endpoints, and aren’t aware of the extent of their exposure,” says Eshed.
Jamie Blasco, CTO of SaaS security company Nudge Security, identified additional domains resolving to the same IP address of the C&C server used for the Cyberhaven breach.
Further investigation has uncovered more extensions [Google Sheets] that are suspected of having been compromised, according to browser extension security platform Secure Annex:
- AI Assistant – ChatGPT and Gemini for Chrome
- Bard AI Chat Extension
- GPT 4 Summary with OpenAI
- Search Copilot AI Assistant for Chrome
- TinaMInd AI Assistant
- Wayin AI
- VPNCity
- Internxt VPN
- Vindoz Flex Video Recorder
- VidHelper Video Downloader
- Bookmark Favicon Changer
- Castorus
- Uvoice
- Reader Mode
- Parrot Talks
- Primus
- Tackker – online keylogger tool
- AI Shop Buddy
- Sort by Oldest
- Rewards Search Automator
- ChatGPT Assistant – Smart Search
- Keyboard History Recorder
- Email Hunter
- Visual Effects for Google Meet
- Earny – Up to 20% Cash Back
These additional compromised extensions indicate that Cyberhaven was not a one-off target but part of a wide-scale attack campaign targeting legitimate browser extensions.
(Courtesy: Hackersnews)
