A newly uncovered attack campaign has compromised at least 16 Chrome browser extensions, exposing over 600,000 users to data breaches and credential theft. This incident highlights the vulnerability of browser extensions, often overlooked as a critical security risk.
The Attack: Targeting Publishers via Phishing
The attackers targeted publishers of legitimate Chrome browser extensions on the Chrome Web Store through a sophisticated phishing campaign. By compromising their accounts, the threat actors injected malicious code into the extensions, enabling the theft of cookies and user access tokens.
The first known victim was the cybersecurity firm Cyberhaven. On December 24, one of its employees fell prey to a phishing email, granting attackers access to publish a malicious version of Cyberhaven’s browser extension. The company disclosed the breach on December 27, detailing how the attackers used the extension to connect to a command-and-control (C&C) server hosted on the domain cyberhavenext[.]pro. From there, they downloaded configuration files and exfiltrated user data.
Phishing Techniques Exploited
The phishing email mimicked a communication from Google Chrome Web Store Developer Support. It created a false sense of urgency by warning that the targeted extension risked removal for violating Developer Program Policies. The email contained a link redirecting recipients to a page that sought permissions for a malicious OAuth application named “Privacy Policy Extension.”
“The attacker gained requisite permissions via the malicious application and uploaded a compromised Chrome extension to the Chrome Web Store,” Cyberhaven reported. Despite the Chrome Web Store’s security review, the malicious extension was approved for publication.
Browser Extensions: A Weak Point in Web Security
“Browser extensions are the soft underbelly of web security,” said Or Eshed, CEO of LayerX Security. “They are often granted extensive permissions to sensitive information like cookies, access tokens, and user identity data. Organizations frequently lack visibility into which extensions are installed on their systems, leaving them vulnerable.”
Additional Extensions and Domains Identified
Jamie Blasco, CTO of SaaS security firm Nudge Security, linked the C&C server used in the Cyberhaven breach to additional domains, suggesting a broader campaign. Secure Annex, a browser extension security platform, uncovered more compromised extensions, including:
AI Assistant – ChatGPT and Gemini for Chrome
Bard AI Chat Extension
VPNCity
Reader Mode
Rewards Search Automator
Earny – Up to 20% Cash Back
Secure Annex’s founder, John Tuckner, revealed that the campaign might date back to at least April 2023, possibly earlier. Domains used in the attacks, such as nagofsg[.]com and sclpfybn[.]com, were registered as far back as 2021 and 2022.
Sophisticated Attack Chains
Tuckner’s analysis showed a pattern of interconnected malicious code across multiple extensions. For instance, the “Reader Mode” extension contained code linked to the Cyberhaven attack, alongside additional indicators of compromise. Similarly, “Rewards Search Automator” included functionality disguised as “safe-browsing” that exfiltrated data, as well as e-commerce-related malicious code.
The investigation revealed that some extensions, such as “Earny – Up to 20% Cash Back,” were updated as recently as April 2023, indicating ongoing threats.
Targeting High-Value Data
The compromised Cyberhaven extension primarily targeted identity data and Facebook account access tokens, with a specific focus on Facebook Ads users. This points to a possible financial motivation behind the campaign, as such accounts are often linked to substantial advertising budgets.
Mitigation and Ongoing Risks
Cyberhaven confirmed that the malicious version of its extension was removed from the Chrome Web Store within 24 hours of discovery. Similarly, some other compromised extensions have been updated or taken down. However, the removal from the store doesn’t necessarily end the threat.
“As long as the compromised extension remains active on user endpoints, attackers can continue to exploit it to exfiltrate data,” Eshed warned. Organizations must ensure that compromised extensions are uninstalled or updated to mitigate risks fully.
Lessons for Organizations and Developers
This attack campaign underscores the need for robust security measures for browser extensions:
Enhanced Vetting: Extension publishers should adopt stronger security protocols to protect their developer accounts from phishing and unauthorized access.
Endpoint Monitoring: Organizations must maintain visibility into the extensions installed on their systems and regularly audit their permissions.
User Awareness: Educating users about phishing tactics and suspicious emails can reduce the risk of such attacks succeeding.
What’s Next?
The attackers’ identity remains unknown, and the connection between the compromised extensions is still under investigation. The sophistication of the campaign signals a significant escalation in the threat landscape for browser extensions. Researchers continue to monitor for additional exposures, while Google has been contacted for further comments.
Conclusion
This large-scale compromise of Chrome extensions is a wake-up call for both developers and users. Browser extensions, often perceived as benign tools, can become potent vectors for cyberattacks. Strengthening security measures and maintaining vigilance is critical to mitigating such threats and protecting user data in the future.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : CVE-2024-12856 Default Credentials Endanger 15,000+ Four-Faith Routers