In a concerning development for the cybersecurity world, experts report that hackers have hijacked a wide range of companies’ Chrome extensions. The attack, which appears to be widespread, has sparked alarm among industry professionals and users alike. New details have emerged about the sophisticated phishing campaign targeting Chrome browser extension developers, compromising at least 35 extensions.
These extensions, which included those from cybersecurity firm Cyberhaven, collectively reach roughly 2.6 million users. The attack started with a phishing email sent to Chrome extension developers directly or through a support email associated with their domain. The phishing email appeared from Google, claiming that the extension violated Chrome Web Store policies and was at risk of being removed.
When developers clicked the embedded ‘Go To Policy’ button in the phishing email, they were taken to a legitimate login page on Google’s domain for a malicious OAuth application. This application asked permission to manage Chrome Web Store extensions through their accounts. Despite enabling Google Advanced Protection and multi-factor authentication (MFA), the affected developers did not receive MFA prompts because the OAuth authorization flows don’t require them.
The permissions granted allowed the attackers to see, edit, update, or publish Chrome Web Store extensions, themes, apps, and licenses. Once the attackers accessed the developer accounts, they modified the extensions to include two malicious files, ‘worker.js’ and ‘content.js,’ which contained code to steal data from Facebook accounts.
Chrome extension hijacking concerns rise
These hijacked extensions were then published as new versions on the Chrome Web Store. Analysis showed that the attackers targeted Facebook business accounts, seeking data such as user IDs, access tokens, account information, ad account details, and business profiles. The malicious code even added a mouse-click event listener to capture interactions on Facebook.com, aiming to bypass two-factor authentication protections.
The stolen information was exfiltrated to the attacker’s command and control server, allowing them to potentially conduct unauthorized transactions, run disinformation campaigns, or sell access to compromised accounts. Eshed, CEO of LayerX Security, helped expose some of the compromised extensions and emphasized the risks associated with browser extensions. “Browser extensions are the silent identity threat.
According to our data, 60% of corporate users have extensions installed, and over 40% have high or critical-risk permissions, making them appealing targets for identity theft.”
The compromised extensions could allow attackers to steal sensitive information, redirect users to malicious websites, and further infiltrate company systems. This type of hijacking highlights the growing sophistication of cyber-attacks and the pressing need for robust online security measures. As companies scramble to address the breaches, it is clear that both users and developers must be cautious.
Users are urged to review their browser extensions’ permissions and report any suspicious activity immediately. The incident serves as another stark reminder of the vulnerabilities that exist in the digital age and the continuous effort required to safeguard data against increasingly sophisticated cybercriminals.
