Security experts from Domain Tools caution that numerous Chrome extensions are surreptitiously stealing user data and deploying malware, as reported by BleepingComputer.
Many of these harmful extensions are masquerading as reputable brands like Fortinet, YouTube, Deepseek AI, and Calendly, which increases the likelihood of unsuspecting users downloading them and facing issues. Google has reportedly eliminated most of the targeted extensions from the Chrome Web Store, yet some are still present as of now.
We observed a similar situation last month when a cybersecurity researcher from Secure Annex discovered several malicious Chrome extensions propagating through advertisements and scam websites. This serves as yet another example of the necessity to thoroughly assess browser extensions before installing them.
To ensure safety, it’s essential to review all available feedback prior to downloading any browser extensions and confirm that you are obtaining the legitimate version. If you suspect you have been affected, refer to our article on how to eliminate harmful Chrome extensions.
Security researchers have alerted Google Chrome users to remain cautious after uncovering a significant campaign aimed at data theft.
So far, at least 36 compromised Chrome extensions have been identified, possibly affecting as many as 2.6 million users, according to ExtensionTotal.
The campaign first emerged in late December when the extension associated with the cybersecurity firm Cyberhaven was compromised, endangering its 400,000 users.
ExtensionTotal reported that a Cyberhaven administrator fell victim to phishing on December 24 after receiving an email claiming the firm’s extension breached Google’s policies and was at risk of being taken down from the Chrome Web Store.
“Clicking on the email directed the admin to a Google consent screen, which sought permission for an OAuth application called Privacy Policy Extension,” ExtensionTotal clarified.
“This application was, in fact, a tool managed by the attacker. By granting access, the admin unintentionally allowed the attacker to upload new versions of Cyberhaven’s Chrome extension to the Web Store.”
The hackers then uploaded a malicious version of the extension that was designed to capture users’ passwords, cookies, and other sensitive information that could facilitate account takeovers. The malicious code was able to evade Google’s security measures.
Attention Developers
Security company SquareX stated that extensions are becoming a common method for threat actors to gain initial access, as most corporate IT teams do not oversee what users install. Even when they do, very few IT administrators monitor the subsequent updates to an allow-listed extension, they added.
Moreover, a large number of developers can be easily targeted since their email addresses are typically made public on the Chrome Store for bug reports, they noted.
SquareX founder, Vivek Ramachandran, asserted that his company has witnessed similar attacks aimed at stealing data from applications such as Google Drive and OneDrive, warning that threat actors will likely become “more inventive” with upcoming campaigns.
“Identity attacks targeting browser extensions, similar to this OAuth incident, will increasingly become common as employees rely more on browser-based tools for their work efficiency,” he warned.
“Organizations must stay alert and reduce their supply chain risks without hindering employee productivity by equipping them with the appropriate browser-native tools.”
In late December 2024, cybersecurity researchers uncovered that at least 33 harmful Chrome browser extensions—used by over 2.6 million users—had been quietly extracting data from users for as long as 18 months.
The campaign was revealed when Cyberhaven, a data loss prevention company, noticed that its Chrome browser extension had been updated with code that contained sensitive data obtained from the company. Further investigations showed that the extension, utilized by 400,000 of its clients, had been set up to download various payloads from infrastructure controlled by the attackers, capable of exfiltrating browser cookies and authentication credentials for Facebook and ChatGPT.
Ultimately, the malicious browser extension was available for download in the Google Chrome store for 31 hours. During this time, active Chrome browsers with the Cyberhaven extension installed would have automatically downloaded and installed the harmful update.
An investigation that followed found that a spearphishing email targeting developers listed by Google for the Cyberhaven extension deceived them into providing permissions. This allowed the threat actor to upload a compromised version of the Cyberhaven extensions to the Chrome Web Store.
As Cyberhaven raised awareness about this issue, other developers began to notice that several additional Chrome extensions were affected by the same campaign, with some being successfully compromised, including an extension named Reader Mode, which might have been affected as early as April 2023.
With over 100,000 Chrome browser extensions widely available for download in the Chrome store, it is nearly impossible for Google to check whether the extensions or their updates contain harmful code. Consequently, browser extensions have become a prevalent attack vector for threat actors aiming to exfiltrate sensitive user data.
In 2019, a significant security problem was identified involving malicious browser extensions for both Google Chrome and Mozilla Firefox. This attack impacted more than 70 Chrome extensions and 28 Firefox extensions disguised as tools for productivity, security, or ad-blocking.
During the campaign, the harmful extensions were downloaded and installed on over four million devices globally. These extensions exfiltrated browsing data, including user activity on sensitive sites, authentication credentials, and potentially other private information.
Mitigation
Field Effect’s skilled team of Security Intelligence specialists continuously observes the cyber threat landscape concerning web browser-related dangers. This research aids in the prompt deployment of signatures into Field Effect MDR to detect and mitigate these threats’ exploitation.
Users of Field Effect MDR are automatically alerted if a malicious, or potentially harmful, Chrome extension is identified in their environment and are encouraged to promptly review these AROs via the Field Effect Portal.
Field Effect advises users to maintain up-to-date web browsers by enabling automatic updates. This will ensure that the latest security patches are installed as soon as possible, reducing the time frame available for threat actors to conduct attacks.
Organizations looking to mitigate the potential risks posed by browser extensions should allowlist trusted and secure extensions while restricting access to all others. Although this wouldn’t prevent approved extensions from downloading potentially harmful updates, it would decrease the number of extensions a user could install, thus minimizing the attack surface. Alternatively, organizations may implement a policy to block high-risk AI and VPN extensions or those that request cookie access.
If they haven’t done so already, organizations should also think about acquiring a cybersecurity solution, such as Field Effect MDR, that can identify vulnerable and malicious browser extensions.
Attacking developers: OAuth abuse
To incorporate trojan functionality into popular Chrome extensions, cybercriminals have created a unique phishing technique. They send emails to developers masquerading as standard Google notifications, claiming that their extension breaches Chrome Web Store guidelines and requires a new description. The wording and design of the message replicate typical Google emails, which often convinces the victim. Additionally, the email is generally dispatched from a domain set up specifically to target a certain extension and includes the extension’s name in the actual domain name.
Clicking the link within the email directs the user to a legitimate Google authentication page. Subsequently, the developer encounters another standard Google interface prompting them to log in via OAuth to an app named “Privacy Policy Extension” and to grant specific permissions during the authentication process. This common procedure occurs on genuine Google pages, but the “Privacy Policy Extension” app requests authorization to publish other extensions to the Chrome Web Store. If this authorization is granted, the creators of “Privacy Policy Extension” can publish updates to the Chrome Web Store on behalf of the developer.
In this scenario, there’s no requirement for the attackers to steal the developer’s password or other credentials, nor to bypass multi-factor authentication (MFA). They simply exploit Google’s permission-granting system to mislead developers into authorizing the publication of updates for their extensions. Judging by the extensive list of domains registered by the attackers, they sought to target far more than 35 extensions. In instances where the attack was effective, they launched an updated version of the extension that included two files for stealing Facebook cookies and other data (worker.js and content.js).
Malicious users
Chrome extensions generally get updates automatically, so users who turned on their devices between December 25 and December 31 and opened Chrome might have received an infected update for an already installed extension.
In this scenario, a harmful script executes in the victim’s browser and transmits data necessary for breaching Facebook business accounts to the attackers’ server. Besides stealing Facebook identifiers and cookies, the malware gathers information needed to log into the target’s advertising account, such as user-agent data that identifies the user’s browser. On facebook.com, even mouse-click information is captured to enable the threat actors to bypass CAPTCHA and two-factor authentication (2FA). If the victim manages advertisements for a company or private business on Meta, the cybercriminals can utilize the advertising budget for their ads—commonly promoting scams and harmful sites (malvertising). In addition to the direct financial impacts, the targeted organization also faces legal and reputational issues, as the fraudulent ads are released under its name.
The malware could potentially extract data from other websites as well, so it’s advisable to examine your browser even if you don’t oversee Facebook ads for any company.
Steps to take if you installed an infected extension update
To cease the exploitation of information from your browser, the first action you should take is to remove the compromised extension or update it to a corrected version. You can find a list of all known infected extensions along with their current remediation status here. Unfortunately, merely uninstalling or updating the infected extension isn’t sufficient. You should also reset any passwords and API keys that were saved in the browser or used during the affected time frame.
Next, inspect the available logs for indications of communication with the attackers’ servers. Indicators of compromise (IoCs) can be found here and here. If there was communication with malicious servers, investigate for signs of unauthorized access in all services accessed via the infected browser.
Afterward, if any Meta or other advertising accounts were logged into from the infected browser, manually review all active ads and cease any unauthorized advertising activities you discover. Finally, log out of all compromised Facebook account sessions on all devices (Log out all other devices), clear the browser’s cache and cookies, log back into Facebook, and change the account password.
Key takeaways from the incident
This incident exemplifies another case of supply-chain attacks. In Chrome’s situation, it’s exacerbated by the fact that updates are installed automatically without notifying the user. While updates are typically beneficial, in this case, the auto-update feature permitted malicious extensions to disseminate rapidly. To reduce the risks of this situation, companies are encouraged to implement the following measures:
- Utilize group policies or the Google Admin console to limit the installation of browser extensions to a trusted list;
- Develop a list of authorized extensions based on business requirements and the information security practices adhered to by the developers of those extensions;
- Employ version pinning to deactivate automatic extension updates. Concurrently, a procedure for monitoring updates and centrally updating approved extensions by administrators will need to be established;
- Install an endpoint detection and response (EDR) solution on all devices within your organization to guard against malware and watch for suspicious events.
- Organizations that distribute software, including web extensions, must ensure that the permission to publish is given to the minimum necessary employees—ideally from a privileged workstation with added protective layers, including multi-factor authentication (MFA) and tightly configured application launch control and web access. Employees authorized to publish should receive regular information security training and stay informed about the latest attacker strategies, including spear phishing.
Leave a Reply