A brand new assault marketing campaign has focused recognized Chrome browser extensions, resulting in no less than 16 extensions being compromised and exposing over 600,000 customers to knowledge publicity and credential theft.
The assault focused publishers of browser extensions on the Chrome Internet Retailer by way of a phishing marketing campaign and used their entry permissions to insert malicious code into legit extensions with a purpose to steal cookies and person entry tokens.
The primary firm to be recognized to have been uncovered was cybersecurity agency Cyberhaven.
On December 27, Cyberhaven disclosed {that a} menace actor compromised its browser extension and injected malicious code to speak with an exterior Command and Management (C&C) server positioned on the area cyberhavenext[.]professional, obtain further configuration recordsdata, and exfiltrate person knowledge.
“Browser extensions are the comfortable underbelly of net safety,” says Or Eshed, CEO of LayerX Safety, which makes a speciality of browser extension safety. “Though we have a tendency to think about browser extensions as innocent, in apply, they’re continuously granted in depth permissions to delicate person info resembling cookies, entry tokens, id info, and extra.
“Many organizations do not even know what extensions they’ve put in on their endpoints, and are not conscious of the extent of their publicity,” says Eshed.
As soon as information of the Cyberhaven breach broke, further extensions that have been additionally compromised and speaking with the identical C&C server have been shortly recognized.
Jamie Blasco, CTO of SaaS safety firm Nudge Safety, recognized further domains resolving to the identical IP handle of the C&C server used for the Cyberhaven breach.
Further browser extensions at present suspected of getting been compromised embody:
- AI Assistant – ChatGPT and Gemini for Chrome
- Bard AI Chat Extension
- GPT 4 Abstract with OpenAI
- Search Copilot AI Assistant for Chrome
- TinaMInd AI Assistant
- Wayin AI
- VPNCity
- Internxt VPN
- Vindoz Flex Video Recorder
- VidHelper Video Downloader
- Bookmark Favicon Changer
- Castorus
- Uvoice
- Reader Mode
- Parrot Talks
- Primus
These further compromised extensions point out that Cyberhaven was not a one-off goal however a part of a wide-scale assault marketing campaign focusing on legit browser extensions.
Evaluation of compromised Cyberhaven signifies that the malicious code focused id knowledge and entry tokens of Fb accounts, and particularly Fb enterprise accounts:
 |
| Person knowledge collected by the compromised Cyberhaven browser extension (supply: Cyberhaven) |
Cyberhaven says that the malicious model of the browser extension was eliminated about 24 hours after it went dwell. Among the different uncovered extensions have additionally already been up to date or faraway from the Chrome Internet Retailer.
Nevertheless, the actual fact the extension was faraway from the Chrome retailer doesn’t suggest that the publicity is over, says Or Eshed. “So long as the compromised model of the extension continues to be dwell on the endpoint, hackers can nonetheless entry it and exfiltrate knowledge,” he says.
Safety researchers are persevering with to search for further uncovered extensions, however the sophistication and scope of this assault marketing campaign have upped the ante for a lot of organizations of securing their browser extensions.