SquareX, a pioneering Browser Detection and Response (BDR) solution, is setting the standard for browser security. Recently, SquareX uncovered a series of large-scale attacks aimed specifically at Chrome Extension developers with the goal of seizing control over extensions featured on the Chrome Store.
The breach occurred on December 25th, 2024, when a malevolent version of Cyberhaven’s browser extension made its way onto the Chrome Store. This compromised extension enabled the attacker to hijack authenticated sessions and extract sensitive information. Cyberhaven swiftly removed the malicious extension after it had been available for download for more than 30 hours. With over 400,000 users on the Chrome Store at the time of the attack, the extent of the impact remains uncertain.
SquareX’s researchers had previously identified a similar attack just a week prior, demonstrating the potential vulnerabilities in Chrome Extensions. The attack initiated with a phishing email disguised as the Chrome Store, alleging a violation of the platform’s “Developer Agreement”. The recipient was urged to accept new policies to prevent their extension from being removed. Clicking on the policy link then prompted users to connect their Google account to a “Privacy Policy Extension”, which granted the attacker unauthorized access to manipulate, update, and publish extensions under the developer’s account.
Browser extensions have become a favored method for attackers to gain initial access due to the limited oversight most organizations have over the extensions their employees use. Furthermore, rigorous security teams often overlook subsequent updates after whitelisting an extension.
At DEFCON 32, SquareX researchers showcased critical vulnerabilities in MV3-compliant Chrome extensions, illustrating how these extensions could be exploited to conduct a range of malicious activities, including hijacking video streams, adding unauthorized collaborators to GitHub, and extracting session cookies.
The Cyberhaven breach exemplified how attackers weaponized these vulnerabilities to pilfer corporate credentials across various platforms. The publicly available developer contact emails on the Chrome Web Store further exacerbated the problem, enabling attackers to target multiple extension developers simultaneously.
Given SquareX’s disclosure and the Cyberhaven breach’s proximity, there is substantial evidence to suggest that these attacks are widespread across other browser extension providers. Therefore, SquareX recommends that both organizations and users exercise extreme caution when installing or updating browser extensions, conducting thorough security evaluations to mitigate risks.
SquareX’s Browser Detection and Response (BDR) solution now offers an array of protection measures, including blocking OAuth interactions to unauthorized websites, flagging suspicious extension updates or installations, and providing visibility into all extensions used across an organization. This proactive approach aims to prevent similar attacks from occurring in the future.
As the threat landscape evolves, it becomes crucial for companies to remain vigilant and proactively address supply chain risks. By equipping employees with the right tools and implementing stringent security measures, organizations can safeguard against identity attacks targeting browser extensions and maintain productivity in the face of emerging threats.
SquareX’s commitment to enhancing browser security underscores its position as a leader in the field. Their innovative BDR solution equips enterprises with the necessary tools to detect, mitigate, and prevent client-side web attacks in real-time, ensuring users are protected against advanced threats in the ever-evolving cybersecurity landscape. For more information on SquareX and their Browser Detection and Response solution, interested parties can contact junice@sqrx.com.