A new attack campaign has targeted known Chrome browser extensions, compromising at least 16 extensions and exposing over 600,000 users to data exposure and credential theft. The attack used a phishing campaign targeting publishers of browser extensions on the Chrome Web Store to steal cookies and user access tokens.
The first company to fall victim was Cyberhaven, which had one of its employees targeted by a phishing email claiming to be from Google Chrome Web Store Developer Support. The attackers published a malicious version of the extension, which was later removed after 24 hours. However, some other exposed extensions have already been updated or removed from the Chrome store.
Further investigation has uncovered additional compromised extensions, including AI Assistant – ChatGPT and Gemini for Chrome, Bard AI Chat Extension, and GPT 4 Summary with OpenAI. The attack campaign appears to be ongoing, with new domains registering over time.
Security experts say that browser extensions are a soft underbelly of web security, often granted extensive permissions to sensitive user information. Many organizations may not even know what extensions they have installed on their endpoints, exposing them to potential vulnerabilities.
The attackers gained access to legitimate extensions by using OAuth applications and uploading malicious code to the Chrome Web Store. Analysis indicates that the malicious code targeted identity data and access tokens of Facebook accounts, primarily with an intent to single out Facebook Ads users.
As security researchers continue to look for additional exposed extensions, experts warn that organizations must prioritize securing their browser extensions to prevent similar attacks in the future. The campaign’s sophistication and scope have upped the ante for many organizations, highlighting the need for improved browser extension security measures.
Source: https://thehackernews.com/2024/12/16-chrome-extensions-hacked-exposing.html