What just happened? Cybersecurity researchers discovered a widespread attack targeting browser extensions in the Chrome Web Store during the holiday season. The campaign affected at least 33 extensions and potentially compromised data on approximately 2.6 million devices. The breach came to light when Cyberhaven, a data loss prevention service, identified malicious code embedded in one of its own extensions.
The attack, which began on Christmas Eve, exploited a vulnerability in the Chrome Web Store’s developer authentication system. The attackers used sophisticated spear phishing techniques to gain access to the accounts of extension developers, allowing them to download malicious versions of popular extensions.
The Cyberhaven extension, designed to prevent users from inadvertently entering sensitive data into emails or websites, was one of the first to be compromised. “Our team has confirmed a malicious cyberattack that occurred on Christmas Eve, affecting the Cyberhaven Chrome extension,” the company said. “Public reports suggest this attack was part of a broader campaign targeting Chrome extension developers across a wide range of companies.”
The compromised version of the Cyberhaven expansion, version 24.10.4, was available for 31 hours from December 25 to 26. During this period, Chrome browsers with Cyberhaven installed automatically downloaded and executed the malicious code. Analysis of the extension revealed that it was designed to interact with various payloads downloaded from a malicious site imitating the official Cyberhaven domain.
Cyberhaven breach reported. An employee phished and pushed a malicious Chrome extension.
Command and control:
149.28.124.84
cyberhavenext(.)proFile hashes:
content.js AC5CC8BCC05AC27A8F189134C2E3300863B317FBworker.js 0B871BDEE9D8302A48D6D6511228CAF67A08EC60
– Christopher Stanley (@cstanley) December 26, 2024
As researchers delved deeper into the attack, they discovered that it extended far beyond Cyberhaven. John Tuckner, founder of Secure Annex, a browser extension analytics and management company, reported that at least 19 other Chrome extensions had been similarly compromised. The attackers used the same spear phishing campaign and used custom lookalike domains to deliver payloads and harvest authentication information.
The collective impact of these compromised extensions is staggering, with approximately 1.46 million downloads across the 20 affected extensions. This attack is not an isolated incident either. A similar campaign targeted Chrome and Firefox extensions in 2019, compromising four million devices, including those on networks of major companies like Tesla, Blue Origin and Symantec.
Further investigation revealed an even more alarming trend. One of the compromised extensions, Reader Mode, was part of a separate campaign dating back to at least April 2023. This earlier compromise was linked to a monetization code library that collected detailed data about every web visit a browser made. Tuckner identified 13 Chrome extensions, with a total of 1.14 million installations, that had used this library to collect potentially sensitive data.
The incident sparked discussions about how to better secure browser extensions. Tuckner suggests a potential solution: Organizations could implement a browser asset management list, allowing only selected extensions to run while blocking all others.