WARNING: Multiple Google Chrome Extensions Hacked!

A new attack campaign has compromised numerous Chrome browser extensions, exposing over 500,000 users to potential data breaches and credential theft.

The attack leveraged a phishing campaign to target extension publishers on the Chrome Web Store. By gaining access to their accounts, attackers injected malicious code into legitimate extensions, enabling them to steal cookies and user access tokens.

Cyberhaven First to Report Compromise

The first known victim was cybersecurity firm Cyberhaven, a tool intended to help businesses stop unauthorized employee access to company information, like copying and pasting an Excel spreadsheet filled with sales leads.

On December 27, the company revealed that its browser extension had been infiltrated by a threat actor who injected malicious code to interact with an external Command and Control (C&C) server hosted on the domain cyberhavenext[.]pro. The compromised extension downloaded additional configuration files and exfiltrated sensitive user data.

In a blog post, Cyberhaven CEO Howard Ting confirmed that a "malicious cyberattack" took place on Christmas Eve. The attacker managed to phishing a Cyberhaven employee and used their credentials to gain access to the company's Chrome Web Store account. From there, the hacker uploaded a malicious version of the Cyberhaven Chrome extension. Ting stated that this version was removed within 60 minutes.

The attack only affected Chrome-based browsers that auto-updated during the affected period, with the malicious code potentially exfiltrating cookies and authenticated sessions for certain targeted websites.

Cyberhaven recommends that customers ensure their extension is updated to version 24.10.5 or newer, revoke or rotate all passwords that don't use FIDOv2, and review logs for suspicious activity.

Ting also mentioned that "public reports suggest this attack was part of a broader campaign targeting Chrome extension developers across various companies." Cyberhaven's initial findings indicate that the attacker was specifically targeting logins to social media advertising and AI platforms.

Broader Scope of the Attack

Following the disclosure, other compromised extensions linked to the same C&C server were quickly identified.

According to The Hacker News Jamie Blasco, CTO of SaaS security firm Nudge Security, discovered additional domains resolving to the server used in the Cyberhaven breach.

Extensions Confirmed or Suspected to Be Compromised:

• AI Assistant - ChatGPT and Gemini for Chrome

• Bard AI Chat Extension

• GPT 4 Summary with OpenAI

• Search Copilot AI Assistant for Chrome

• TinaMind AI Assistant

• Wayin AI

• VPNCity

• Internxt VPN

• Vindoz Flex Video Recorder

• VidHelper Video Downloader

• Bookmark Favicon Changer

• Castorus

• Uvoice

• Reader Mode

• Parrot Talks

• Primus

These findings suggest the Cyberhaven breach was part of a larger, coordinated campaign targeting legitimate browser extensions.

Malicious Code Targets Facebook Accounts

Analysis of the compromised Cyberhaven extension revealed that its malicious payload primarily targeted identity data and access tokens for Facebook accounts, with a focus on business accounts.

Cyberhaven reported that the compromised extension was removed from the Chrome Web Store approximately 24 hours after the breach was discovered. Several other affected extensions have also been updated or taken down.

Security Implications

The sophistication and scale of this attack campaign underscore the critical need for organizations to monitor and secure browser extensions. Many organizations lack visibility into which extensions are installed on their endpoints, leaving them vulnerable to such attacks.

Security researchers are actively investigating the extent of the compromise, but the incident serves as a stark reminder of the risks posed by unchecked browser extensions.