Several Google Chrome extensions have fallen victim to a widespread hacking campaign, raising concerns among cybersecurity experts about the safety and security of users’ data. The attack was first brought to light by data security vendor Cyberhaven, which made a public announcement on December 27 regarding a supply chain attack that targeted its Chrome extension, version 24.10.4. The attack originated from a phishing email that successfully compromised an employee’s access to the Chrome Web Store just a few days prior.
The phishing email, disguised as a communication from Google, falsely claimed that Cyberhaven was in danger of being removed from the Chrome Web Store. It contained a link to a malicious OAuth Google application named Privacy Policy Extension, which utilized Google’s authorization flow. Despite the employee’s Google account having multifactor authentication and Google Advanced Protection enabled, the attacker managed to obtain their credentials for the Chrome Web Store.
Once unauthorized access was gained, the attacker proceeded to duplicate Cyberhaven’s official Chrome extension and introduced a malicious version into the Chrome Web Store. This tainted extension, as described in a blog post by Cyberhaven, featured additional files that established a connection with the attacker’s command and control server before collecting user data for exfiltration to an external website. According to the analysis conducted on compromised systems, the primary aim of the attack was linked to targeting Facebook Ads accounts.
In the wake of this security breach, Cyberhaven’s CEO, Howard Ting, revealed that their security team swiftly detected and removed the malicious package within an hour of its discovery. As part of their response to the incident, Cyberhaven released an open-source tool designed to identify instances where a malicious extension is transferring data externally. The company promptly informed its users of the compromise and confirmed that the attack had a strong focus on gaining access to Facebook accounts and information.
Furthermore, Cyberhaven uncovered that the malicious code within the extension actively sought to acquire Facebook access tokens and account details, even adding a mouse click listener to Facebook’s website. The scope of the threat campaign was not limited to Cyberhaven alone, with reports of similar attacks on Chrome extensions from various developers emerging. Security researchers, including Jaime Blasco of Nudge Security, pointed to evidence indicating the possibility of multiple extensions being affected by the same breach.
According to Extension Total, a total of 36 malicious extensions have been identified thus far, with a considerable number of them being linked to generative AI and Web3 technology. Additionally, Secure Annex reported similar suspicious activities in other Chrome extensions, with some compromised extensions dating back as far as May 2024 and containing keylogging capabilities.
While efforts have been made to address and replace the compromised extensions with legitimate versions, some malicious extensions still pose a threat. Both Extension Total and Secure Annex emphasized the importance of remaining vigilant and urged users to exercise caution when downloading and using Chrome extensions. Despite attempts to gather additional insights from Cyberhaven, the company opted not to provide further comments on the ongoing investigation.
The series of attacks on Google Chrome extensions underscores the persistent challenges posed by cyber threats and the critical need for robust security measures to safeguard users’ data and privacy in an increasingly interconnected digital world.