A recent large-scale breach has rocked the Chrome browser extension ecosystem, with over 16 extensions compromised, exposing more than 600,000 users to data and credential theft. The attack, orchestrated by cybercriminals, utilized a sophisticated phishing campaign that targeted developers and publishers of these extensions.
Developers were tricked into granting access to a malicious OAuth app through fake emails that appeared to be official communications from the Chrome Web Store. These emails, designed to create urgency, led developers to mistakenly grant permissions to a malicious application called “Privacy Policy Extension.” This allowed attackers to inject malicious code into legitimate extensions, setting the stage for data theft.
One of the affected firms, Cyberhaven, a cybersecurity company specializing in data loss prevention, fell victim to the attack on December 24. The cybercriminals successfully phished an employee to obtain admin credentials for the Chrome Web Store. With these credentials, the attackers were able to publish a malicious update (version 24.10.4) to Cyberhaven’s popular Chrome extension on Christmas Day. This update was specifically designed to steal sensitive user data, including passwords, session tokens, Facebook account credentials, and cookies.
The malicious extension remained active for over 31 hours before being detected and removed from the Chrome Web Store by Cyberhaven’s security team. Prompt action was taken to address the breach, including the release of a legitimate update (version 24.10.5) and the engagement of Mandiant to develop an incident response plan. Additionally, federal law enforcement agencies were notified to aid in the investigation.
In response to the breach, Cyberhaven advised its users to revoke and rotate passwords and other text-based credentials, review logs for any suspicious activity, and remain vigilant. Despite the breach, the company confirmed that its systems, including CI/CD processes and code signing keys, were not compromised.
Following the Cyberhaven incident, security researchers discovered that several other extensions across various categories, such as AI assistants, VPNs, and productivity tools, were also compromised and communicating with the same malicious infrastructure. This paints a worrisome picture of a widespread and coordinated attack on the Chrome extension ecosystem.
The sophistication and scale of the attack highlight the importance for organizations to prioritize the security of their browser extensions. While investigations are ongoing, the identity of the attackers remains unknown. As security researchers continue to uncover more affected extensions, it is crucial for developers and users alike to remain vigilant and take proactive measures to safeguard against such malicious activities.