SquareX, a leading Browser Detection and Response (BDR) solution provider, has been at the forefront of browser security. Recently, the company reported a series of large-scale attacks targeting Chrome Extension developers with the aim of taking control of the extensions on the Chrome Store. This alarming development came to light on December 25th, 2024, when a malicious version of Cyberhaven’s browser extension was discovered on the Chrome Store. This malicious extension allowed attackers to hijack authenticated sessions and extract sensitive information from users.
The malicious extension, which was available for download for over 30 hours before being removed by Cyberhaven, had a significant impact as it had over 400,000 users on the Chrome Store at the time of the attack. Cyberhaven, the data loss prevention company behind the extension, refrained from commenting on the full extent of the breach when approached by the press.
This attack occurred shortly after SquareX researchers had identified a similar threat and even demonstrated the attack pathway just a week prior to the Cyberhaven breach. The attackers initiated the attack by sending phishing emails to Chrome Store developers, pretending to be from the platform and claiming a violation of the Developer Agreement. This tactic aimed to deceive developers into accepting new policies to prevent their extension from being removed from the Chrome Store. Once the user clicked on the policy button, they were prompted to connect their Google account to a fake “Privacy Policy Extension,” granting the attacker unauthorized access to the developer’s account.
Browser extensions have increasingly become a vector for attackers to gain initial access, as organizations often have limited visibility and control over the extensions used by their employees. Even the most robust security measures in place may not monitor updates to whitelisted extensions, leaving room for exploitation. SquareX researchers have revealed how attackers can manipulate MV3-compliant extensions to perform various malicious activities, such as stealing sensitive data and credentials.
Given that developer emails are publicly listed on the Chrome Store, attackers can target a large number of extension developers simultaneously. The attack on Cyberhaven highlighted the vulnerability of extension developers to such sophisticated attacks, prompting SquareX to urge both companies and individuals to exercise caution when installing or updating browser extensions.
To address these security concerns, SquareX offers a Browser Detection and Response (BDR) solution that provides protection against unauthorized OAuth interactions, suspicious extension updates, and installations of potentially harmful extensions. The tool also offers visibility into all extensions used within an organization, helping security teams monitor and safeguard against potential threats.
Vivek Ramachandran, the founder of SquareX, has warned that identity attacks leveraging browser extensions will continue to rise as employees rely on browser-based tools for work. He emphasized the need for companies to stay vigilant and reduce their supply chain risk by equipping employees with the necessary security measures without hindering productivity.
In conclusion, SquareX’s proactive approach to browser security underscores the importance of safeguarding against evolving cyber threats. The recent wave of attacks targeting Chrome Extension developers serves as a stark reminder of the vulnerabilities present in browser security. By prioritizing security measures and implementing solutions like SquareX’s BDR, organizations can better protect themselves against sophisticated cyber threats.