Google Chrome users are advised to stay vigilant after a widespread attack campaign compromised at least 35 browser extensions, exposing over 2.6 million users to potential data theft. The attack, which began in mid-December, targeted extension developers through phishing emails that tricked them into granting access to their Chrome Web Store accounts. Once the attackers gained control, they injected malicious code into the extensions, allowing them to exfiltrate sensitive user data such as session cookies and bypass two-factor authentication (2FA) protections.
The compromised extensions were then re-published on the Chrome Web Store, where unsuspecting users continued to download and use them. Cybersecurity firm Cyberhaven was one of the affected companies, with their extension falling victim to the attack on Christmas Eve. CEO Howard Ting shared details of the incident, stating that an employee was successfully phished, allowing hackers to publish a malicious version of the extension.
The breach was discovered within 24 hours, and the extension was promptly removed from the store.
Hackers compromise Chrome extensions’ security
Analysis of the malicious code revealed that the attackers were primarily targeting Facebook accounts, particularly those associated with Facebook Ads.
The injected code listened for mouse click events on the Facebook website, searching for QR codes related to 2FA or CAPTCHA mechanisms in an attempt to bypass these security measures. Experts warn that browser extensions are a significant vulnerability in web security. “Sixty percent of corporate users have browser extensions installed on their computers, and over 40% of those users have extensions with high or critical-risk permissions,” said Or Eshed, CEO of LayerX Security, a firm that helped expose the compromised extensions.
Google has implemented several security measures to combat such attacks, including app-bound encryption, device-bound session credentials, and account-based threat detection. A Google spokesperson emphasized the importance of security keys in providing stronger protection against various types of attacks compared to traditional 2FA methods. As the investigation continues, users are urged to regularly review their installed extensions, update them to the latest versions, and report any suspicious activity.
The identities of those behind the campaign remain unknown, and it is unclear if all the compromised extensions are related to the same group of attackers.
