A new cyberattack has targeted about twenty popular extensions for the Chrome browser. More than 600,000 users have been exposed to risks of data and credential theft. These attacks, which combine phishing and malicious code, reveal a vulnerability in extension management.

Phishing Techniques Targeting Publishers

The attack began with a series of phishing campaigns aimed at extension publishers on the Chrome Web Store. The attackers posed as Google technical support. They tricked developers into clicking on fraudulent links, thereby gaining access to their administrator accounts. They then modified their extensions to insert malicious scripts.

Cyberhaven: A Prime Target

On December 24, 2024, a hacker accessed the Chrome Web Store administrator account of a Cyberhaven employee. This company, specializing in data loss prevention, counts giants like Snowflake, Motorola, Reddit, and Canon among its clients.

The hacker published an infected version (24.10.4) of the Cyberhaven extension. This code allowed the theft of user session cookies and sent the information to a malicious domain ("cyberhavenext[.]pro"). The infected version was removed less than an hour after its detection. Cyberhaven published a secure version (24.10.5) and recommends that users change their passwords and reset their API tokens.

An Attack Extended to Many Extensions

This attack is not limited to Cyberhaven. Extensions such as Internxt VPN, VPNCity, Uvoice, and ParrotTalks were also compromised. Hackers injected similar code, enabling communication with malicious servers.

Other extensions like Bookmark Favicon Changer, Castorus, Wayin AI, Search Copilot AI Assistant, VidHelper, Vidnoz Flex, TinaMind, and AI Shop Buddy are among the victims. Some extensions have already been removed from the Chrome Web Store, including Visual Effects for Google Meet, Rewards Search Automator, Tackker, Bard AI chat, and Reader Mode.

A Well-Organized Scheme

The phishing email appeared to come from Google. It alerted developers to an imminent risk of their extension being removed. By accessing a fraudulent page and granting permissions, the publishers allowed the hackers to modify their extensions.

Consequences for Users

Hackers used the infected extensions to steal sensitive information, such as session cookies and authentication tokens. This data allows attackers to access personal and professional accounts, including platforms like Facebook Ads. This increases the risk of financial fraud.

How to Protect Yourself?

Here are some recommendations to avoid falling victim to these attacks:

Check regularly your installed extensions and remove those you do not use.

Limit permissions granted to extensions, especially those requesting access to your sensitive data.

Update your extensions to benefit from security patches.

Change your passwords and reset your API tokens if you are affected.

Be vigilant against suspicious emails, especially those claiming to come from official services.

In Conclusion

This attack highlights critical flaws in the security of browser extensions, which are often perceived as harmless. Users and businesses must strengthen their vigilance. Adopt stricter cybersecurity practices to limit exposure to these threats.

Discover our NEXT2i Cybersecurity offers by clicking here. For any questions regarding our VOC, SOC, MDR, or other offers, fill out the contact form or contact us at 01 48 49 98 00.

Hacked Chrome Extensions: Over 600,000 Users Victims of Data Theft