The ongoing hacking spree has compromised at least 25 Chrome extensions, potentially affecting over two million users. Cyberhaven, a data protection company, fell victim to the attack.
On December 26th, Cyberhaven warned its users about a compromised Chrome extension. Hackers published a malicious version of the extension capable of exfiltrating user data, including cookies and authenticated sessions for certain websites.
An investigation has unveiled a wider hacking campaign.
Secure Annex, a browser extension security platform, tracks 25 compromised Chrome extensions with 2,291,000 users as of December 30th, 2024. Some of the largest ones also included “Visual Effects for Google Meet,” “Reader Mode,” “Email Hunter,” “Bard AI chat” and “Rewards Search Automator.”
Cybersecurity experts recommend that affected users immediately rotate passwords, tokens, clear sessions, review logs for any suspicious activity.
The full list of affected extensions is updated here.
What happened?
Cyberhaven was the first to ring the alarm, informing its extension users about the security incident.
“On December 24th, a phishing attack compromised a Cyberhaven employee's credentials to the Google Chrome Web Store,” the firm explains.
“The attacker used these credentials to publish a malicious version of our Chrome extension.”
Cyberhaven’s team detected the compromise the next day and removed the malicious extension within 60 minutes. The incident did not affect all 400,000 users who downloaded the extension.
“The incident was limited in both scope and duration,” the firm said.
“Only Chrome-based browsers that auto-updated during this period (1:32 AM UTC on December 25th and 2:50 AM UTC on December 26th) were impacted.”
The firm’s initial findings show that the attacker’s malicious code was capable of exfiltrating authenticated sessions and was targeting logins to specific social media advertising and AI platforms.
“We now understand this was part of a larger campaign to target Chrome extension developers,” the initial report said.
“From analysis of some of the compromised machines, the primary motive for the attack was to target Facebook Ads accounts.”
Hackers are sending phishing emails to Chrome extension developers. In Cyberhaven’s case, the initial email was sent to the registered support email, which is in the public domain. Once clicked, an employee was taken to the standard Google authorization flow for granting access to third-party applications.
Despite having Google Advanced Protection and MFA enabled, the employee did not receive an MFA prompt.
The employee’s Google credentials were not compromised. However, the attacker’s malicious application, called “Privacy Policy Extension,” gained permissions, and hackers uploaded a malicious Chrome extension based on the original one.
“The attacker made a copy of the clean extension and added some malicious code to create a new malicious extension,” the firm explained.
The malware would then get a user’s Facebook access token, user ID, account information, and business accounts, retrieve the user’s ad account information, and send it to the command and control center.
Howard Ting, CEO at Cyberhaven, chose to notify all customers, whether affected or not. The compromised extension has been removed from the Chrome Web Store, and a secure version has been deployed.
Cyberhaven strongly recommends that users who were running a malicious version of their Chrome extension during the affected period verify whether it has been updated to version 24.10.5 or newer.
“Revoke/rotate all passwords that aren't FIDOv2. Reviewing logs for any suspicious activity,” Ting said.
Cyberhaven is a data loss prevention tool built as a browser extension to monitor and block data exfiltration from the browser.
The attack is ongoing
The indicators of compromise provided by Cyberhaven link the hack to a widespread campaign. According to a report by Secure Annex, hackers are targeting Chrome extension developers across multiple companies to obtain sensitive information from websites like Bank of America, American Express, Zoom, 23andme, and more.
By comparing the code and URLs, the firm’s researchers found two dozen other compromised Chrome extensions. At least eight affected extensions “contain the same code to reach out to a relatively unknown domain sclpfybn[.]com.”
“A number of folks mentioned they saw other extensions compromised using similar code. After more investigation, we have found some of the same code being used in other extensions as far back as May 2024,” Secure Annex said.
Google also seems aware of the campaign, as some developers on Reddit mentioned their extension Moonsift being removed from the web store on December 10th, 2024.
Regarding the Cyberhaven chrome extension compromise I have reasons to believe there are other extensions affected. Pivoting by the ip address there are more domains created within the same time range resolving to the same ip address as cyberhavenext[.]pro (cont)
undefined Jaime Blasco (@jaimeblascob) December 27, 2024
“It looks likely that Google identified this extension update as malicious and removed it from the web store out of caution. It is unknown if this happened for other extensions,” Secure Annex speculates.
One of the extensions that includes the malicious code was last updated on April 5th, 2023, signaling that the campaign has been ongoing for more than a year.
Your email address will not be published. Required fields are markedmarked