16 Chrome Extensions Compromised: Over 600,000 Users Exposed to Data Theft:
A major security breach has rocked the Chrome Web Store, leaving over 600,000 users vulnerable to data theft after 16 popular Chrome extensions were compromised. This wide-scale attack campaign targeted legitimate browser extensions through phishing attacks, injecting malicious code, and exploiting users’ trust in these tools.
How the Attack Unfolded
The attack began with phishing campaigns aimed at publishers of Chrome browser extensions. By gaining unauthorized access to these publishers’ accounts, threat actors inserted malicious code into the extensions. This code allowed them to steal cookies, access tokens, and other sensitive data from users.
The first known victim was the cybersecurity firm Cyberhaven, which disclosed on December 27 that its browser extension had been breached. Threat actors used the compromised extension to communicate with a Command and Control (C&C) server hosted on the domain cyberhavenext[.]pro. The malicious code downloaded additional configuration files and exfiltrated user data, including identity and access tokens.
A Broader Campaign
Cyberhaven was not an isolated target. Researchers quickly identified additional Chrome extensions compromised in the same campaign. Some of these extensions include:
- AI Assistant — ChatGPT and Gemini for Chrome
- Bard AI Chat Extension
- GPT 4 Summary with OpenAI
- Search Copilot AI Assistant for Chrome
- TinaMInd AI Assistant
- Wayin AI
- VPNCity
- Internxt VPN
- Vindoz Flex Video Recorder
- VidHelper Video Downloader
- Bookmark Favicon Changer
- Castorus
- Uvoice
- Reader Mode
- Parrot Talks
- Primus
These extensions collectively served over 600,000 users and were exploited to collect sensitive information, such as Facebook credentials, including business account tokens.
The Threat of Malicious Extensions
“Browser extensions are the soft underbelly of web security,” warns Or Eshed, CEO of LayerX Security. “Although we tend to think of browser extensions as harmless, they often have extensive permissions that allow access to cookies, access tokens, and other sensitive information.”
The malicious versions of these extensions remained live for hours to days before being removed from the Chrome Web Store. However, as Eshed notes, removing compromised extensions from the store does not immediately mitigate the risk. “As long as the compromised version is still installed on users’ systems, hackers retain access and can continue exfiltrating data.”
What This Means for Users and Organizations
The attack has highlighted significant gaps in browser extension security and the potential risks they pose. Jamie Blasco, CTO of SaaS security firm Nudge Security, emphasizes the need for organizations to monitor their endpoints for unauthorized extensions.
“Many organizations don’t even know what extensions are installed on their devices, let alone the extent of their exposure,” says Blasco. The need for proactive monitoring and regular auditing of browser extensions has never been more critical.
Steps to Protect Yourself
If you use any of the extensions listed above, follow these steps to secure your data:
- Uninstall the extension immediately. Ensure the compromised version is removed from your browser.
- Revoke access tokens. Visit platforms like Facebook to review and revoke access for suspicious sessions or applications.
- Enable endpoint monitoring. Organizations should deploy tools that track and manage installed browser extensions.
- Stay updated. Regularly check for updates or news related to the browser extensions you use.
Moving Forward
The compromise of these 16 extensions is a wake-up call for both users and developers. Extension publishers must adopt stronger security practices, including two-factor authentication and regular security audits. For users, it’s essential to remain vigilant and skeptical of extensions requesting extensive permissions.
The sophistication of this attack campaign demonstrates how browser extensions can be leveraged as powerful tools for cyberattacks. As the security community continues to investigate, it’s clear that protecting browser extensions will be a critical focus in the ongoing battle against cyber threats.
