Hackers have compromised at least 35 Chrome extensions in a series of attacks that began on Dec. 5. The attacks involved sophisticated phishing emails sent from fake Chrome Web Store domains.
These emails urged developers to resolve alleged policy violations urgently. The phishing emails directed victims to a landing page that harvested their credentials for access to Google resources. Cyberhaven, a security firm, confirmed that one of its employees inadvertently authorized a malicious third-party application.
This gave the hackers the credentials they needed. Analysts determined that the attackers were targeting Facebook accounts. They were looking for QR codes related to Facebook’s two-factor authentication (2FA) mechanisms.
The compromised extensions affected some 2.6 million users. Google Chrome uses several protections against such attacks, including app-bound encryption for session cookies. Other protections include safe browsing, device-bound session credentials, and Google’s account-based threat detection feature.
Google emphasized that using passkeys can significantly reduce the impact of phishing and social engineering attacks. Security keys have been shown to be more effective against various forms of attacks than traditional SMS or app-based 2FA.
Chrome extensions phishing attack impact
Cyberhaven’s CEO, Howard Ting, said that a malicious extension was published using the stolen employee credentials. The extension remained active from Dec. 24 until late on Dec.
25. The compromised Cyberhaven extension (version 24.10.4) was active only between Dec. 25 and 26.
Users of Chrome-based browsers with auto-updates enabled during this period may have had their sessions and cookies stolen. The attackers were targeting logins for social media advertising and AI platforms. Cyberhaven confirmed that no other systems were affected, including their CI/CD processes and code signing keys.
The malicious extension was removed from the Chrome Web Store, and a secure version (24.10.5) was automatically deployed. Impacted users were notified and advised to update their extensions immediately. The Google Chrome security team advises users to be cautious when installing extensions.
They recommend regularly reviewing installed extensions, installing extensions only from trusted sources, paying attention to requested permissions, and keeping all extensions updated. Ongoing vigilance and proactive measures remain crucial to safeguarding user data against such attacks.
