A brand new assault marketing campaign has focused identified Chrome browser extensions, resulting in at the very least 16 extensions being compromised and exposing over 600,000 customers to information publicity and credential theft.
The assault focused publishers of browser extensions on the Chrome Net Retailer by way of a phishing marketing campaign and used their entry permissions to insert malicious code into reliable extensions so as to steal cookies and consumer entry tokens.
The primary firm to be identified to have been uncovered was cybersecurity agency Cyberhaven.
On December 27, Cyberhaven disclosed {that a} risk actor compromised its browser extension and injected malicious code to speak with an exterior Command and Management (C&C) server positioned on the area cyberhavenext[.]professional, obtain extra configuration recordsdata, and exfiltrate consumer information.
“Browser extensions are the smooth underbelly of internet safety,” says Or Eshed, CEO of LayerX Safety, which focuses on browser extension safety. “Though we have a tendency to consider browser extensions as innocent, in apply, they’re ceaselessly granted in depth permissions to delicate consumer data reminiscent of cookies, entry tokens, id data, and extra.
“Many organizations do not even know what extensions they’ve put in on their endpoints, and are not conscious of the extent of their publicity,” says Eshed.
As soon as information of the Cyberhaven breach broke, extra extensions that have been additionally compromised and speaking with the identical C&C server have been rapidly recognized.
Jamie Blasco, CTO of SaaS safety firm Nudge Safety, recognized extra domains resolving to the identical IP tackle of the C&C server used for the Cyberhaven breach.
Extra browser extensions presently suspected of getting been compromised embody:
- AI Assistant – ChatGPT and Gemini for Chrome
- Bard AI Chat Extension
- GPT 4 Abstract with OpenAI
- Search Copilot AI Assistant for Chrome
- TinaMInd AI Assistant
- Wayin AI
- VPNCity
- Internxt VPN
- Vindoz Flex Video Recorder
- VidHelper Video Downloader
- Bookmark Favicon Changer
- Castorus
- Uvoice
- Reader Mode
- Parrot Talks
- Primus
These extra compromised extensions point out that Cyberhaven was not a one-off goal however a part of a wide-scale assault marketing campaign focusing on reliable browser extensions.
Evaluation of compromised Cyberhaven signifies that the malicious code focused id information and entry tokens of Fb accounts, and particularly Fb enterprise accounts:
 |
| Consumer information collected by the compromised Cyberhaven browser extension (supply: Cyberhaven) |
Cyberhaven says that the malicious model of the browser extension was eliminated about 24 hours after it went reside. A few of the different uncovered extensions have additionally already been up to date or faraway from the Chrome Net Retailer.
Nevertheless, the very fact the extension was faraway from the Chrome retailer doesn’t suggest that the publicity is over, says Or Eshed. “So long as the compromised model of the extension remains to be reside on the endpoint, hackers can nonetheless entry it and exfiltrate information,” he says.
Safety researchers are persevering with to search for extra uncovered extensions, however the sophistication and scope of this assault marketing campaign have upped the ante for a lot of organizations of securing their browser extensions.
