CSC News Table of Contents
16 Chrome Extensions Compromised: Over 600,000 users are at risk as 16 popular Chrome extensions have been compromised, exposing sensitive data and credentials.
This large-scale attack, targeting legitimate Chrome extensions, exploited permissions to inject malicious code and steal user data. The alarming breach underscores the growing need for robust browser extension security.
Cyberhaven, a cybersecurity firm, was the first to report its extension being hacked, revealing how the attackers used phishing to hijack permissions and plant malicious code.
This breach is not an isolated incident but part of a broader attack campaign impacting many other widely used extensions.
Key Takeaway to 16 Chrome Extensions Compromised
- Over 600,000 users impacted due to compromised Chrome extensions that were manipulated to steal data and credentials.
The Extent of the Breach
This newly discovered attack campaign has compromised 16 Chrome browser extensions, collectively exposing the data of over 600,000 users.
The threat actors targeted extension publishers through phishing campaigns, gaining access to their systems. Once inside, they inserted malicious code into legitimate extensions, exploiting their permissions to steal cookies and user access tokens.
The affected extensions include popular tools like:
| Extension Name | Purpose |
|---|---|
| AI Assistant – ChatGPT and Gemini | Productivity & AI Assistance |
| Bard AI Chat Extension | Chat AI Integration |
| VPNCity | VPN and Privacy Tools |
| VidHelper Video Downloader | Video Download Assistance |
Additional extensions like Reader Mode and Castorus were also found compromised, making this a significant breach targeting diverse tools.
How the Attack Unfolded
The attackers initially breached the Cyberhaven extension, embedding malicious code that communicated with a Command and Control (C&C) server hosted on cyberhavenext[.]pro. This server downloaded additional configuration files, enabling the exfiltration of user data.
Further investigation revealed that the same C&C server was used for other compromised extensions. Security researchers linked additional malicious domains to the Cyberhaven breach, confirming that this was a coordinated, large-scale attack.
Focus on Facebook Business Accounts
Analysis of the Cyberhaven breach revealed that the malicious code specifically targeted identity data and access tokens of Facebook users, particularly those with business accounts.
These tokens grant access to sensitive business data, making this breach especially damaging for organizations using Facebook for marketing, advertising, or customer engagement.
Steps Taken to Mitigate Damage
Cyberhaven responded swiftly by removing the compromised extension from the Chrome Web Store within 24 hours. Other affected extensions have also been taken down or updated.
However, experts caution that removal from the Chrome Web Store doesn’t fully eliminate the risk. If a compromised version remains installed on a user’s browser, attackers can still access sensitive data.
Why Browser Extensions Are a Major Security Risk
Browser extensions often require broad permissions to function effectively. These permissions can include access to cookies, browsing history, and even sensitive tokens.
Or Eshed, CEO of LayerX Security, explains:
Extensions are the soft underbelly of web security. Many users and organizations don’t realize how much access these tools have to sensitive information.
The 2018 DataSpii Incident is a prime example of the risks posed by browser extensions. In that case, several extensions leaked user data to third-party marketers without consent.
How to Protect Yourself
If you use browser extensions, follow these steps to enhance your security:
- Audit Installed Extensions: Regularly review the extensions you’ve installed and remove any you no longer use.
- Limit Permissions: Only install extensions that request minimal permissions.
- Stay Updated: Keep extensions updated to benefit from security patches.
- Monitor for Alerts: Stay informed about extension vulnerabilities and breaches.
- Use Endpoint Protection: Implement security tools that monitor browser activity for suspicious behavior.
Looking Ahead: The Future of Browser Security
The exploitation of 16 Chrome extensions highlights the urgent need for improved security practices. As more users rely on browser extensions for work and personal use, attackers will continue targeting these tools.
Future trends in browser security may include stricter permissions for extensions, enhanced monitoring by web stores, and increased user awareness about extension risks.
About Cyberhaven
Cyberhaven is a leading cybersecurity firm specializing in data security and threat analysis. They provide insights and tools to protect organizations from emerging threats.
Rounding Up
The compromise of 16 Chrome extensions and the exposure of over 600,000 users is a wake-up call for both individuals and businesses. Browser extensions, though convenient, can pose significant risks when not properly managed.
This incident emphasizes the importance of security-first practices, including monitoring extensions, limiting permissions, and staying informed about potential vulnerabilities. Together, we can create a safer online environment.
FAQs
What happened in this attack?
- Hackers compromised 16 Chrome extensions, inserting malicious code to steal sensitive data.
Which extensions were affected?
- Extensions like AI Assistant – ChatGPT, Bard AI, VPNCity, and others were impacted.
How were the extensions compromised?
- Attackers used phishing campaigns to access extension publishers’ accounts and inject malicious code.
What data was stolen?
- Cookies, user access tokens, and identity data, including Facebook business account information, were targeted.
How can I protect myself from such threats?
- Audit your extensions, limit permissions, update regularly, and monitor for suspicious activity.
Is there a precedent for such breaches?
- Yes, incidents like the DataSpii breach in 2018 highlight the risks of compromised browser extensions.
