A series of attacks on Google Chrome browser extensions has compromised session cookies and bypassed two-factor authentication (2FA) protections, leaving millions of users at risk. The latest attack targeted security company Cyberhaven, with hackers gaining access to the Chrome Web Store using compromised employee credentials.
The attackers cloned the 2FA process, capturing the session cookie created when a correct code is entered, allowing them to re-run that session later and appear as an authenticated user. The impact and scope of the attack were limited to Chrome-based browsers auto-updating during the affected period, but Cyberhaven confirmed it could have exfiltrated cookies and authenticated sessions for targeted websites.
Experts emphasize the importance of mitigating 2FA bypass attacks by using passkeys, which provide stronger protection against phishing and other social engineering attacks. To prevent similar attacks in the future, clients can use Browser Detection-Response tools to disallow apps that request risky OAuth scopes unless authorized.
Cyberhaven notified affected customers and automatically deployed a secure version of its Chrome extension, 24.10.5, after removing the malicious code from the Chrome Web Store. Users are recommended to verify their extension has updated to this newer version or check for potential vulnerabilities in their own browser extensions.
Source: https://www.forbes.com/sites/daveywinder/2024/12/30/google-chrome-2fa-bypass-attack-confirmed-what-you-need-to-know