SUMMARY
- Large-Scale Breach: Over 16 Chrome extensions were compromised, exposing 600,000+ users to data and credential theft.
- Phishing Attack: Developers were tricked into granting access to a malicious OAuth app via fake Chrome Web Store emails.
- Cyberhaven Impact: Attackers used admin credentials to deploy a malicious update stealing sensitive user data.
- Widespread Impact: Many extensions across categories are linked to the same malicious infrastructure.
- Response & Recommendations: Revoke credentials, monitor logs, and secure extensions; investigations continue.
A sophisticated attack campaign has compromised at least 16 Chrome browser extensions, exposing over 600,000 users to data theft and credential theft. The attack targeted extension publishers through phishing emails that mimicked official communications from the Chrome Web Store.
These emails, designed to create a sense of urgency, tricked developers into granting malicious applications access to their accounts. This allowed attackers to inject malicious code into legitimate extensions.
The recipient was directed to accept the policies by clicking a link, which then led them to a page for granting permissions to a malicious OAuth application called “Privacy Policy Extension.
Cyberhaven, a cybersecurity firm specializing in data loss prevention, was among the impacted firms and the first to publicly disclose its compromise. The attack occurred on December 24 and involved phishing a company employee to gain access to their Chrome Web Store admin credentials.
According to Cyberhaven, the attackers compromised the “single admin account for the Google Chrome Store” and managed to publish a malicious update to their popular Chrome extension. This update, deployed on Christmas Day, was designed to steal sensitive user data, including passwords, session tokens, Facebook account credentials, and cookies.
The malicious extension, version 24.10.4, remained active for over 31 hours before being detected and removed from the Chrome Web Store. “Our security team detected this compromise at 11:54 PM UTC on December 25 and removed the malicious package within 60 minutes,” the company’s disclosure read.
Cyberhaven immediately released a legitimate update (version 24.10.5), hired Mandiant to develop an incident response plan and also notified federal law enforcement agencies for investigation. The company has confirmed that its systems, including CI/CD processes and code signing keys, were not compromised.
In an email sent to its customers, Cyberhaven has advised users to revoke and rotate passwords and text-based credentials, such as API tokens, and review their logs for malicious activity. This is due to the potential for stolen session tokens and cookies to bypass security measures, allowing hackers to access logged-in accounts without a password or two-factor code. However, the company has not disclosed the method of the breach or the corporate security policies that allowed the account compromise.
Following the Cyberhaven breach, security researchers discovered numerous other compromised extensions exhibiting similar malicious behaviour. These extensions, spanning various categories including AI assistants, VPNs, and productivity tools, were found to be communicating with the same command-and-control servers.
Regarding the Cyberhaven chrome extension compromise I have reasons to believe there are other extensions affected. Pivoting by the ip address there are more domains created within the same time range resolving to the same ip address as cyberhavenextpro (cont)
— Jaime Blasco (@jaimeblascob) December 27, 2024
Other extensions found to have been compromised, according to Secure Annex, a browser extension security platform, include the following:
| Name | ID |
|---|---|
| VPNCity | nnpnnpemnckcfdebeekibpiijlicmpom |
| Parrot Talks | kkodiihpgodmdankclfibbiphjkfdenh |
| Uvoice | oaikpkmjciadfpddlpjjdapglcihgdle |
| Internxt VPN | dpggmcodlahmljkhlmpgpdcffdaoccni |
| Bookmark Favicon Changer | acmfnomgphggonodopogfbmkneepfgnh |
| Castorus | mnhffkhmpnefgklngfmlndmkimimbphc |
| Wayin AI | cedgndijpacnfbdggppddacngjfdkaca |
| Search Copilot AI Assistant for Chrome | bbdnohkpnbkdkmnkddobeafboooinpla |
| VidHelper – Video Downloader | egmennebgadmncfjafcemlecimkepcle |
| AI Assistant – ChatGPT and Gemini for Chrome | bibjgkidgpfbblifamdlkdlhgihmfohh |
| Vidnoz Flex – Video recorder & Video share | cplhlgabfijoiabgkigdafklbhhdkahj |
| TinaMind – The GPT-4o-powered AI Assistant! | befflofjcniongenjmbkgkoljhgliihe |
| Bard AI chat | pkgciiiancapdlpcbppfkmeaieppikkk |
| Reader Mode | llimhhconnjiflfimocjggfjdlmlhblm |
| Primus (prev. PADO) | oeiomhmbaapihbilkfkhmlajkeegnjhe |
| Tackker – online keylogger tool | ekpkdmohpdnebfedjjfklhpefgpgaaji |
| AI Shop Buddy | epikoohpebngmakjinphfiagogjcnddm |
| Sort by Oldest | miglaibdlgminlepgeifekifakochlka |
| Rewards Search Automator | eanofdhdfbcalhflpbdipkjjkoimeeod |
| Earny – Up to 20% Cash Back | ogbhbgkiojdollpjbhbamafmedkeockb |
| ChatGPT Assistant – Smart Search | bgejafhieobnfpjlpcjjggoboebonfcg |
| Keyboard History Recorder | igbodamhgjohafcenbcljfegbipdfjpk |
| Email Hunter | mbindhfolmpijhodmgkloeeppmkhpmhc |
| Visual Effects for Google Meet | hodiladlefdpcbemnbbcpclbmknkiaem |
| Cyberhaven security extension V3 | pajkjnmeojmbapicmbpliphjmcekeaac |
This means that it is a well-thought-after large-scale attack. Security researchers are still searching for more exposed extensions, but the sophistication and scope of the attack have increased the importance for organizations to secure their browser extensions. The identity of the attacker remains unclear.
