The new attack campaign targeted popular Chrome browser extensions, leading to the hacking of at least 16 extensions and exposing more than 600,000 users to data exposure and credential theft.
The attack targeted browser extension publishers in the Chrome Web Store via a phishing campaign and used their access rights to inject malicious code into legitimate extensions to steal users’ cookies and access tokens.
Cybersecurity firm Cyberhaven was the first company exposed.
December 27 Cyberhaven opened that the threat actor compromised his browser extension and injected malicious code to communicate with an external command and control (C&C) server located in the cyberhavenext(.)pro domain, download additional configuration files, and steal user data.
“Browser extensions are the soft foundation of web security,” says Or Eshed, the company’s CEO. LayerX securitywhich specializes in browser extension security. “While we tend to think of browser extensions as harmless, in practice they often grant broad permissions to sensitive user information such as cookies, access tokens, credentials, and more.
“Many organizations don’t even know what extensions they have installed on their endpoints, and don’t realize the extent of their impact,” Eshed says.
After the Cyberhaven hack became known, additional extensions were quickly discovered that were also hacked and communicating with the same C&C server.
Jamie Blaska, CTO of SaaS security company Nudge Security, additional permission domains are defined to the same IP address of the C&C server used for the Cyberhaven hack.
Additional browser extensions currently suspected of being compromised include:
- AI Assistant – ChatGPT and Gemini for Chrome
- Bard AI chat extension
- Summary of GPT 4 with OpenAI
- Search Copilot AI Assistant for Chrome
- TinaMInd AI assistant
- Way of AI
- VPNCity
- Internxt VPN
- Video recorder Windows flex
- VidHelper video downloader
- Change bookmark icons
- Castor
- Voice
- Reading mode
- Conversations of parrots
- Compulsion
These additional compromised extensions suggest that Cyberhaven was not a one-off target, but part of a large-scale attack campaign targeting legitimate browser extensions.
Analysis of the compromised Cyberhaven shows that the malicious code targeted the credentials and access tokens of Facebook accounts and Facebook business accounts in particular:
 |
| User data collected by compromised Cyberhaven browser extension (source: Cyberhaven) |
Cyberhaven reports that the malicious version of the browser extension was removed approximately 24 hours after it went live. Some of the other extensions detected have also already been updated or removed from the Chrome Web Store.
However, just because an extension has been removed from the Chrome store doesn’t mean the impact is over, says Or Eshed. “As long as the compromised version of the extension is still running on the endpoint, hackers can still access it and steal data,” he says.
Security researchers continue to look for more exposed extensions, but the sophistication and scope of this attack has raised the stakes for many organizations to secure extensions for their browsers.
