16 Chrome Extensions Hacked, Exposing Over 600,000 Users to Data Theft

A new attack campaign has targeted known Chrome browser extensions, leading to at least 16 extensions being compromised and exposing over 600,000 users to data exposure and credential theft.

The attack targeted publishers of browser extensions on the Chrome Web Store via a phishing campaign and used their access permissions to insert malicious code into legitimate extensions in order to steal cookies and user access tokens.

The first company to fall victim to the campaign was cybersecurity firm Cyberhaven, one of whose employees was targeted by a phishing attack on December 24, allowing the threat actors to publish a malicious version of the extension.

On December 27, Cyberhaven disclosed that a threat actor compromised its browser extension and injected malicious code to communicate with an external command-and-control (C&C) server located on the domain cyberhavenext[.]pro, download additional configuration files, and exfiltrate user data.

The phishing email, which purported to come from Google Chrome Web Store Developer Support, sought to induce a false sense of urgency by claiming that their extension was at imminent risk of removal from the extension store citing a violation of Developer Program Policies.

It also urged the recipient to click on a link to accept the policies, following which they were redirected to a page for granting permissions to a malicious OAuth application named "Privacy Policy Extension."

"The attacker gained requisite permissions via the malicious application ('Privacy Policy Extension') and uploaded a malicious Chrome extension to the Chrome Web Store," Cyberhaven said. "After the customary Chrome Web Store Security review process, the malicious extension was approved for publication."

"Browser extensions are the soft underbelly of web security," says Or Eshed, CEO of LayerX Security, which specializes in browser extension security. "Although we tend to think of browser extensions as harmless, in practice, they are frequently granted extensive permissions to sensitive user information such as cookies, access tokens, identity information, and more.

"Many organizations don't even know what extensions they have installed on their endpoints, and aren't aware of the extent of their exposure," says Eshed.

Jamie Blasco, CTO of SaaS security company Nudge Security, identified additional domains resolving to the same IP address of the C&C server used for the Cyberhaven breach.

Further investigation has uncovered more extensions [Google Sheets] that are suspected of having been compromised, according to browser extension security platform Secure Annex:

• AI Assistant - ChatGPT and Gemini for Chrome
• Bard AI Chat Extension
• GPT 4 Summary with OpenAI
• Search Copilot AI Assistant for Chrome
• TinaMInd AI Assistant
• Wayin AI
• VPNCity
• Internxt VPN
• Vindoz Flex Video Recorder
• VidHelper Video Downloader
• Bookmark Favicon Changer
• Castorus
• Uvoice
• Reader Mode
• Parrot Talks
• Primus
• Tackker - online keylogger tool
• AI Shop Buddy
• Sort by Oldest
• Rewards Search Automator
• ChatGPT Assistant - Smart Search
• Keyboard History Recorder
• Email Hunter
• Visual Effects for Google Meet
• Earny - Up to 20% Cash Back

These additional compromised extensions indicate that Cyberhaven was not a one-off target but part of a wide-scale attack campaign targeting legitimate browser extensions.

Secure Annex's founder John Tuckner told The Hacker News that there is a possibility that the campaign has been ongoing since April 5, 2023, and likely even further back based on the registration dates of the domains used: nagofsg[.]com was registered in August 2022 and sclpfybn[.]com was registered in July 2021.

"I've linked the same code present in the Cyberhaven attacks to related code (let's say Code1) in an extension called 'Reader Mode,'" Tuckner said. "The code in 'Reader Mode' contained Cyberhaven attack code (Code1) and an additional indicator of compromise "sclpfybn[.]com" with its own additional code (Code2)."

"Pivoting on that domain led me to the seven new extensions. One of those related extensions called "Rewards Search Automator" had (Code2) which masked itself as 'safe-browsing' functionality but was exfiltrating data."

"'Rewards Search Automator' also contained masked 'ecommerce' functionality (Code3) with a new domain 'tnagofsg[.]com' which is functionally incredibly similar to 'safe-browsing'. Searching further on this domain, I found 'Earny - Up to 20% Cash Back' which still has 'ecommerce' code in it (Code3) and was last updated April 5, 2023."

As for the the compromised Cyberhaven add-on, analysis indicates that the malicious code targeted identity data and access tokens of Facebook accounts, primarily with an intent to single out Facebook Ads users:

User data collected by the compromised Cyberhaven browser extension (source: Cyberhaven)

Cyberhaven says that the malicious version of the browser extension was removed about 24 hours after it went live. Some of the other exposed extensions have also already been updated or removed from the Chrome Web Store.

However, the fact the extension was removed from the Chrome store doesn't mean that the exposure is over, says Or Eshed. "As long as the compromised version of the extension is still live on the endpoint, hackers can still access it and exfiltrate data," he says.

Security researchers are continuing to look for additional exposed extensions, but the sophistication and scope of this attack campaign have upped the ante for many organizations of securing their browser extensions.

At this point it's unclear who is behind the campaign, and if these compromises are related. The Hacker News has reached out to Google for further comment, and we will update the story if we hear back.

(The story was updated after publication to revise the list of extensions impacted and comments from Secure Annex.)