Hackers recently compromised several Chrome browser extensions, injecting malicious code to steal sensitive user data. This cyberattack, which began in mid-December, affected extensions from multiple companies. Cyberhaven, a data protection firm, confirmed its extension was compromised on December 24.
The attackers used phishing emails to gain access, enabling them to modify the extensions. Once users installed or updated these extensions, the malicious code activated, collecting sensitive information. Cyberhaven’s investigation revealed that the compromised extension targeted Facebook Ads users, aiming to steal access tokens, user IDs, cookies, and other account details.
Chrome Extensions bypass two-factor authentication
The malicious code also included a mouse click listener, potentially assisting attackers in bypassing two-factor authentication. Cyberhaven detected the breach on December 25 and removed the malicious version within an hour, releasing a clean update. The compromised version remained active for approximately 25 hours.
Other potentially affected extensions include Internxt VPN, VPNCity, Uvoice, and ParrotTalks. Security researcher Jaime Blasco noted that the attack appeared opportunistic, collecting data from as many compromised extensions as possible, rather than targeting a specific company.
Browser extensions, while enhancing user experience, pose significant security risks. Attackers can exploit vulnerabilities or use phishing tactics to control these extensions, transforming them into tools for data theft. Users should exercise caution when installing extensions, ensuring they originate from reputable sources with positive reviews.
In response to the breach, Cyberhaven advised affected users to check their logs for suspicious activity and change passwords, especially for accounts not using FIDO2 multifactor authentication. The company is cooperating with federal law enforcement to investigate the incident.
This cyberattack underscores the importance of cybersecurity vigilance. Users should regularly review installed extensions, keep them updated, and avoid granting excessive permissions. Employing robust security measures, like multifactor authentication, can provide additional protection.
As cyber threats continue to evolve, both users and developers must stay alert. Developers should implement stringent security protocols to safeguard their extensions from unauthorized access, while users must remain informed about potential risks.
The recent compromise of Chrome extensions serves as a stark reminder of the persistent threats in the digital landscape. By adopting proactive security practices, users can mitigate risks and protect their personal information from malicious actors.