A recent attack campaign compromised 16 Chrome browser extensions, exposing over 600,000 users to potential data theft and credential compromise. The campaign targeted publishers via phishing, allowing attackers to inject malicious code into legitimate extensions.
Chrome extensions hacked: Over 600,000 users exposed
The cybersecurity firm Cyberhaven was the first known victim, with an employee falling for a phishing attack on December 24. This breach enabled attackers to publish a malicious version of Cyberhaven’s extension. On December 27, Cyberhaven confirmed that the extension was compromised, and malicious code had been injected to interact with an external command-and-control (C&C) server at cyberhavenext[.]pro.
The phishing email, disguised as a communication from Google Chrome Web Store Developer Support, created a false sense of urgency, claiming the recipient’s extension was at risk of removal due to policy violations. Clicking the link led them to a malicious OAuth application called “Privacy Policy Extension,” which gained the necessary permissions to upload a malicious version of the extension.
After the Cyberhaven breach, researchers identified additional compromised extensions linked to the same C&C server, including AI Assistant – ChatGPT and Gemini for Chrome, VPNCity, and several others. John Tuckner, founder of Secure Annex, told The Hacker News that the attack campaign might date back to April 5, 2023.
Tuckner’s investigation connected the Cyberhaven and related attacks through shared malicious code in the “Reader Mode” extension. Some compromised extensions targeted Facebook accounts, specifically within Facebook Ads, aiming to exfiltrate cookies and access tokens.
Cyberhaven reported that the malicious extension was removed about 24 hours after it went live. However, it is warned that malicious code could still retrieve data from users who installed the compromised version before it was removed. Security teams continue to investigate other exposed extensions within this broader campaign.
Google Chrome two-factor authentication vulnerability
As the Cyberhaven breach unfolded, it revealed significant vulnerabilities, including the potential for hackers to bypass two-factor authentication protections. Cyberhaven confirmed that the attack specifically targeted logins to social media advertising and AI platforms.
The breach began with a phishing attack compromising an employee’s Google credentials, allowing the attacker to upload a malicious extension. Howard Ting, CEO of Cyberhaven, confirmed their team detected the malicious extension shortly after it went live on December 25 and removed it within an hour.
The compromised version affected only users who had auto-updated Chrome during the window when the malicious code was live. Cyberhaven took swift action, notifying customers and deploying a secure version of the extension.
Cyberhaven advised affected users to verify that they had updated their extension, revoke and rotate passwords that were not FIDOv2 compliant, and to review logs for suspicious activity. They have engaged external security firms to perform forensic analysis and are cooperating with law enforcement as part of their response to the breach.
Cyberhaven has reaffirmed its commitment to transparency and ongoing security improvements in light of the incident.
Featured image credit: Kerem Gülen/Midjourney
