Dozens of Chrome Extensions Hacked, Exposing Millions of Users to Data Theft

December 30, 2024

A new attack campaign has targeted known Chrome browser extensions, leading to at least 35 extensions being compromised and exposing over 2.6 million users to data exposure and credential theft.

The attack targeted publishers of browser extensions on the Chrome Web Store via a phishing campaign and used their access permissions to insert malicious code into legitimate extensions in order to steal cookies and user access tokens.

The first company to shed light the campaign was cybersecurity firm Cyberhaven, one of whose employees was targeted by a phishing attack on December 24, allowing the threat actors to publish a malicious version of the extension.

On December 27, Cyberhaven disclosed that a threat actor compromised its browser extension and injected malicious code to communicate with an external command-and-control (C&C) server located on the domain cyberhavenext[.]pro, download additional configuration files, and exfiltrate user data.

The phishing email, which purported to come from Google Chrome Web Store Developer Support, sought to induce a false sense of urgency by claiming that their extension was at imminent risk of removal from the extension store citing a violation of Developer Program Policies.

It also urged the recipient to click on a link to accept the policies, following which they were redirected to a page for granting permissions to a malicious OAuth application named "Privacy Policy Extension."

"The attacker gained requisite permissions via the malicious application ('Privacy Policy Extension') and uploaded a malicious Chrome extension to the Chrome Web Store," Cyberhaven said in a separate technical write-up. "After the customary Chrome Web Store Security review process, the malicious extension was approved for publication."

"Browser extensions are the soft underbelly of web security," says Or Eshed, CEO of LayerX Security, which specializes in browser extension security. "Although we tend to think of browser extensions as harmless, in practice, they are frequently granted extensive permissions to sensitive user information such as cookies, access tokens, identity information, and more.

"Many organizations don't even know what extensions they have installed on their endpoints, and aren't aware of the extent of their exposure."

Jamie Blasco, CTO of SaaS security company Nudge Security, identified additional domains resolving to the same IP address of the C&C server used for the Cyberhaven breach.

Further investigation has uncovered more extensions [Google Sheets] that are suspected of having been compromised, according to browser extension security platforms Secure Annex and Extension total:

AI Assistant - ChatGPT and Gemini for Chrome
Bard AI Chat Extension
GPT 4 Summary with OpenAI
Search Copilot AI Assistant for Chrome
TinaMInd AI Assistant
Wayin AI
VPNCity
Internxt VPN
Vidnoz Flex Video Recorder
VidHelper Video Downloader
Bookmark Favicon Changer
Castorus
Uvoice
Reader Mode
Parrot Talks
Primus
Tackker - online keylogger tool
AI Shop Buddy
Sort by Oldest
Rewards Search Automator
ChatGPT Assistant - Smart Search
Keyboard History Recorder
Email Hunter
Visual Effects for Google Meet
Earny - Up to 20% Cash Back
Where is Cookie?
Web Mirror
ChatGPT App
Hi AI
Web3Password Manager
YesCaptcha assistant
Bookmark Favicon Changer
Proxy SwitchyOmega (V3)
GraphQL Network Inspector
ChatGPT for Google Meet
GPT 4 Summary with OpenAI

These additional compromised extensions indicate that Cyberhaven was not a one-off target but part of a wide-scale attack campaign targeting legitimate browser extensions.

Secure Annex's founder John Tuckner told The Hacker News that there is a possibility that the campaign has been ongoing since April 5, 2023, and likely even further back based on the registration dates of the domains used: nagofsg[.]com was registered in August 2022 and sclpfybn[.]com was registered in July 2021.

"I've linked the same code present in the Cyberhaven attacks to related code (let's say Code1) in an extension called 'Reader Mode,'" Tuckner said. "The code in 'Reader Mode' contained Cyberhaven attack code (Code1) and an additional indicator of compromise "sclpfybn[.]com" with its own additional code (Code2)."

"Pivoting on that domain led me to the seven new extensions. One of those related extensions called "Rewards Search Automator" had (Code2) which masked itself as 'safe-browsing' functionality but was exfiltrating data."

"'Rewards Search Automator' also contained masked 'ecommerce' functionality (Code3) with a new domain 'tnagofsg[.]com' which is functionally incredibly similar to 'safe-browsing'. Searching further on this domain, I found 'Earny - Up to 20% Cash Back' which still has 'ecommerce' code in it (Code3) and was last updated April 5, 2023."

As for the the compromised Cyberhaven add-on, analysis indicates that the malicious code targeted identity data and access tokens of Facebook accounts, primarily with an intent to single out Facebook Ads users.

It also included code to listen for mouse click events on the Facebook[.]com website, checking for images containing the substring "qr/show/code" in the src attribute every time a user clicks on a page, and if found, sending them to the C&C server. It's suspected that the intent was to search for QR codes in order to bypass security checks such as two-factor authentication (2FA) requests.

User data collected by the compromised Cyberhaven browser extension (source: Cyberhaven)

Cyberhaven says that the malicious version of the browser extension was removed about 24 hours after it went live. Some of the other exposed extensions have also already been updated or removed from the Chrome Web Store.

However, the fact the extension was removed from the Chrome store doesn't mean that the exposure is over, says Or Eshed. "As long as the compromised version of the extension is still live on the endpoint, hackers can still access it and exfiltrate data," he says.

It has since also emerged that the presence of data gathering code in some of the extensions was not the result of a compromise, but was likely included by the developers themselves as part of a monetization software development kit (SDK) that also stealthily exfiltrated detailed browsing data.

"Before the Visual Effects for Google Meet developer sold their extension to Karma, they tried to monetize it with this 'ad blocking library,'" security researcher Wladimir Palant said. "The sales pitch doesn't mention who develops the library but everything points to Urban VPN."

At this point it's unclear who is behind the campaign, and if these compromises are related. The Hacker News has reached out to Google for further comment, and we will update the story if we hear back.

(The story was updated after publication to revise the list of extensions impacted and include comments from Secure Annex.)