Key Takeaways:
Cybersecurity experts have discovered a series of attacks where hackers compromised multiple Chrome extensions. According to a new report from Reuters, the attackers used malicious code designed to steal browser cookies and hijack authentication sessions
The cybersecurity firm Cyberhaven informed its customers that the hackers compromised a company account to release a malicious update (version 24.10.4) to its data loss prevention extension on December 25. The compromised Chrome extension was used to send sensitive information (such as authenticated sessions and cookies) to the attacker’s domain. The attack also affected other extensions, including Internxt VPN, VPNCity, Uvoice, and ParrotTalks.
Specifically, the scammer sent a phishing email to the registered support email for Cyberhaven’s Chrome extension. The email warned the developer that the extension was violating Google’s rules. The victim had to click the “Go To Policy” page to prevent their extension from being removed.
“Once the employee clicked on the email, they were taken to the standard Google authorization flow for adding a malicious OAUTH Google application called “Privacy Policy Extension”,” Cyberhaven explained. “This authorization page was hosted on Google.com and part of the standard authorization flow for granting access to third-party Google applications. “
As it turns out, the developer adhered to the usual procedure and unintentionally authorized this malicious third-party application. The hacker managed to complete the authentication process even if the developer had two-factor authentication enabled for their account.
According to Cyberhaven, the attack only impacted version 24.10.4 of the Chrome extension. The company said that only customers with Chrome-based browsers that automatically updated during the attack timeframe would have been impacted. Cyberhaven has since removed the malicious extension from the Chrome Web Store and released a new legitimate version (24.10.5).
Cyberhaven advises that administrators should monitor their system logs to identify any suspicious activity. It is also recommended that any passwords that are not protected by the FIDO2 multifactor authentication standard should be revoked or rotated to enhance security within the organization.