On Christmas Eve, a phishing attack caused a Cyberhaven employee’s Google Chrome Web Store account to be taken over by an unknown party, resulting in the publication of a malicious version of Cyberhaven’s Chrome extension. Although the harmful extension was promptly removed within an hour of its discovery, the incident shed light on the existing gaps in browser security across organizations and emphasized the importance of addressing this issue sooner rather than later, as extension poisoning is expected to remain a recurring problem.
Further investigation into the attack indicates that it was likely part of two distinct but potentially interconnected campaigns aimed at targeting multiple extension developers to distribute malicious extensions, according to experts. These campaigns may have commenced as early as April 2023.
Amit Assaraf, CEO of Extension Total, a third-party extension security platform provider, stated that his team has uncovered several malicious extensions over the past few weeks and has been examining their relationship with one another. One of the campaigns involved creating extensions designed to steal cookies, session tokens, and potentially passwords, with a focus on Facebook and OpenAI accounts. This campaign relied on phishing tactics to target extension developers and a malicious OAUTH application to hijack Google Chrome Web Store accounts, with Cyberhaven being one of the victims.
Although there is some discrepancy among experts regarding the timeline of the first malicious extension associated with this campaign, the impact has been broad, with 22 extensions related to it discovered so far, affecting 1.46 million users. The second campaign targeted tracking user activity, telemetry, and visited sites to potentially sell this data. Google has acted to shut down malicious Chrome Web Store accounts identified in the investigation and is continuing to look into reports from Extension Total regarding any remaining problematic extensions.
The security risks posed by compromised extensions are significant, as they can have access to sensitive user data, cookies, credentials, and sessions. Matt Johansen, a security researcher at Vulnerable U, pointed out that extensions oftentimes operate with a high level of trust and can gather comprehensive user information once compromised. Attackers find poisoning a browser extension to be a convenient way to spread malicious code, giving them access to a vast number of machines with minimal effort.
To mitigate the browser security gap, organizations should prioritize monitoring and managing extensions running in corporate browsers. Taking steps such as maintaining a real-time inventory of browsers and their installed extensions, enrolling them in centralized management, and establishing an allowlist for known extensions can help enhance overall security posture. While many organizations may overlook browser security due to other pressing issues, incidents like this serve as a reminder of the importance of securing browser extensions in today’s threat landscape.