A new attack campaign has targeted known Chrome browser extensions, leading to at least 16 extensions being compromised and exposing over 600,000 users to data exposure and credential theft.
The attack targeted publishers of browser extensions on the Chrome Web Store via a phishing campaign and used their access permissions to insert malicious code into legitimate extensions in order to steal cookies and user access tokens.
The first company to be known to have been exposed was cybersecurity firm Cyberhaven.
On December 27, Cyberhaven disclosed that a threat actor compromised its browser extension and injected malicious code to communicate with an external Command and Control (C&C) server located on the domain cyberhavenext[.]pro, download additional configuration files, and exfiltrate user data.
“Browser extensions are the soft underbelly of web security,” says Or Eshed, CEO of LayerX Security, which specializes in browser extension security. “Although we tend to think of browser extensions as harmless, in practice, they are frequently granted extensive permissions to sensitive user information such as cookies, access tokens, identity information, and more.
“Many organizations don’t even know what extensions they have installed on their endpoints, and aren’t aware of the extent of their exposure,” says Eshed.
Once news of the Cyberhaven breach broke, additional extensions that were also compromised and communicating with the same C&C server were quickly identified.
Jamie Blasco, CTO of SaaS security company Nudge Security, identified additional domains resolving to the same IP address of the C&C server used for the Cyberhaven breach.
Additional browser extensions currently suspected of having been compromised include:
- AI Assistant – ChatGPT and Gemini for Chrome
- Bard AI Chat Extension
- GPT 4 Summary with OpenAI
- Search Copilot AI Assistant for Chrome
- TinaMInd AI Assistant
- Wayin AI
- VPNCity
- Internxt VPN
- Vindoz Flex Video Recorder
- VidHelper Video Downloader
- Bookmark Favicon Changer
- Castorus
- Uvoice
- Reader Mode
- Parrot Talks
- Primus
These additional compromised extensions indicate that Cyberhaven was not a one-off target but part of a wide-scale attack campaign targeting legitimate browser extensions.
Analysis of compromised Cyberhaven indicates that the malicious code targeted identity data and access tokens of Facebook accounts, and specifically Facebook business accounts:
 |
| User data collected by the compromised Cyberhaven browser extension (source: Cyberhaven) |
Cyberhaven says that the malicious version of the browser extension was removed about 24 hours after it went live. Some of the other exposed extensions have also already been updated or removed from the Chrome Web Store.
However, the fact the extension was removed from the Chrome store doesn’t mean that the exposure is over, says Or Eshed. “As long as the compromised version of the extension is still live on the endpoint, hackers can still access it and exfiltrate data,” he says.
Security researchers are continuing to look for additional exposed extensions, but the sophistication and scope of this attack campaign have upped the ante for many organizations of securing their browser extensions.
