Introduction: A new wave of cyberattacks has targeted popular Chrome browser extensions, compromising over 35 extensions and exposing over 2.6 million users to data theft and credential leakage. Cybercriminals have inserted malicious code into legitimate extensions, putting sensitive information such as cookies, access tokens, and user credentials at risk.
How the Attack Unfolded: The attack began with a sophisticated phishing campaign targeting developers of Chrome extensions on the Chrome Web Store. The attackers used phishing tactics to trick publishers into granting access permissions, allowing them to inject harmful code into the extensions. This code was designed to steal valuable user data, including cookies and login credentials.
Cybersecurity firm Cyberhaven was among the first to identify the breach. On December 24, an employee was targeted with a phishing email, which led to the publication of a malicious version of their browser extension. By December 27, Cyberhaven had confirmed that the extension had been compromised, with malicious code communicating with a remote command-and-control (C&C) server to exfiltrate user data.
Phishing Campaign and Fake Urgency: The phishing email was designed to create a sense of urgency, falsely claiming that the extension was at risk of being removed from the Chrome Web Store due to a violation of Developer Program Policies. The message directed developers to click on a link, which then redirected them to a page that granted permissions to a malicious OAuth application called “Privacy Policy Extension.”
This malicious app allowed attackers to upload a compromised version of the extension to the Chrome Web Store, bypassing the security review process.
Security Risks in Browser Extensions: Or Eshed, CEO of LayerX Security, explains that browser extensions often have extensive permissions to access sensitive user data, such as identity information, access tokens, and cookies. Many organizations are unaware of the extensions installed on their devices, leaving them vulnerable to attacks that exploit these permissions.
Wide-Scale Attack: In addition to the Cyberhaven extension, numerous other extensions have been identified as potentially compromised, including well-known tools such as:
- AI Assistant - ChatGPT and Gemini for Chrome
- GPT 4 Summary with OpenAI
- VidHelper Video Downloader
- Proxy SwitchyOmega (V3)
- ChatGPT App
- VPNCity
- Rewards Search Automator
- And many more.
The scope of the attack suggests that this was part of a larger campaign targeting multiple Chrome extensions over an extended period. Investigations have revealed that the campaign may have been active since April 2023, with certain malicious domains registered as far back as 2021.
How the Attackers Operated: The malicious code within the compromised extensions was designed to steal Facebook identity data and access tokens, with a particular focus on Facebook Ads users. It contained functionality to track mouse clicks on Facebook’s website and send data to the C&C server, possibly to bypass security features like two-factor authentication (2FA).
Impact and Response: Although Google removed the malicious extension from the Chrome Web Store within 24 hours, users who had already installed the compromised version remained at risk until they updated or removed the extension manually. Experts warn that even after an extension is removed from the store, hackers can still access and exfiltrate data from affected users if the compromised extension remains installed.
Data Monetization SDKs: In some cases, the data-gathering code in these extensions was not the result of a hack but was intentionally included by developers as part of a monetization strategy. This covert data exfiltration, often bundled in SDKs (Software Development Kits), was used to stealthily collect user browsing data for advertising purposes.
Conclusion: This attack highlights the significant security risks posed by browser extensions, which are often granted broad permissions without adequate scrutiny. As cybercriminals continue to exploit these vulnerabilities, both developers and users must stay vigilant and regularly audit the extensions they use to protect sensitive data.
Stay Safe and Informed: Always check the permissions granted to your browser extensions and be cautious of unsolicited emails that ask you to update or grant access to your extensions. Regularly update your software and extensions to mitigate the risk of falling victim to such attacks.