Security Intelligence
Loading table of contents...
In late December 2024, cybersecurity researchers discovered that at least 33 malicious Chrome browser extensions—installed by over 2.6 million users—had been covertly siphoning data from users for up to 18 months.
The campaign was uncovered when Cyberhaven, a data loss prevention company, noticed that its Chrome browser extension had recently been updated with code that included sensitive data stolen from the company. Further analysis revealed that the extension, used by 400,000 of its customers, had been configured to download various payloads from actor-controlled infrastructure capable of exfiltrating browser cookies and authentication credentials for Facebook and ChatGPT.
In total, the malicious browser extension was openly available for download in the Google Chrome store for 31 hours. During this period, actively running Chrome browsers with the Cyberhaven extension installed would have automatically downloaded and installed the malicious update.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
A subsequent investigation revealed that a spearphishing email sent to the developers Google listed for the Cyberhaven extension had tricked them into granting permissions that the threat actor used to upload the compromised version of the Cyberhaven extensions to the Chrome Web Store.
As Cyberhaven sounded the alarm on this activity, other developers began to discover that multiple other Chrome extensions had been targeted by the same campaign, some successfully, including an extension called Reader Mode that may have been compromised as early as April 2023.
Source: The Hacker News
Analysis
As there are well over 100,000 Chrome browser extensions openly available for download in Google’s Chrome store, it’s nearly impossible for Google to verify if the extensions, or updates to them, contain malicious code. As a result, browser extensions have been a common attack vector for threat actors looking to exfiltrate sensitive user data.
In 2019, a major security issue was uncovered involving malicious browser extensions for both Google Chrome and Mozilla Firefox. The attack affected over 70 Chrome and 28 Firefox extensions disguised as tools for productivity, security, or ad-blocking.
Throughout the campaign, the malicious extensions were downloaded and installed on over four million devices worldwide. These extensions exfiltrated browsing data, including user activity on sensitive websites, authentication credentials, and potentially other private information.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for web browser-related threats. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of these threats.
Field Effect MDR users are automatically notified if a malicious, or potentially malicious, Chrome extension is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect recommends that users keep web browsers up to date by enabling automatic updates. This will ensure that the latest security updates are installed as soon as possible, providing threat actors with a smaller window in which they can conduct attacks.
Organizations that wish to mitigate the potential threat browser extensions pose should allowlist trusted, secure extensions and restrict access to all others. While this wouldn’t stop approved extensions from downloading potentially malicious updates, it would limit the number of extensions a user could install, thus reducing the attack surface. Alternatively, organizations could adopt a policy to block high-risk AI and VPN extensions or those that request cookie access.
If they haven’t already, organizations should also consider adopting a cybersecurity solution, such as Field Effect MDR, capable of detecting vulnerable and malicious browser extensions.
