Security researchers have warned users of Google Chrome extensions about a major data theft campaign. At least 36 compromised Chrome extensions have been detected, potentially exposing up to 2.6 million end users. The campaign was first discovered in late December when a cybersecurity startup’s extension was hijacked, putting its 400,000 users at risk.
The attackers used a phishing email to trick the admin into granting permission for a malicious OAuth application. This allowed the attacker to upload new versions of the compromised extension, designed to steal users’ passwords, cookies, and other information that could enable account takeovers. The malicious code managed to bypass Google’s security checks.
Experts warn that extensions are an increasingly popular way for threat actors to gain initial access. Most corporate IT teams don’t control what their users install, and few monitor subsequent updates to allow-listed extensions. Large numbers of developers are also easy to target, as their emails are often publicly listed on the Chrome Store.
The security vendor SquareX has seen similar attacks designed to steal data from apps like Google Drive and OneDrive. The founder warned that threat actors will become more creative with future campaigns, targeting identity attacks on browser extensions.
Companies need to remain vigilant and minimize supply chain risk while equipping employees with the right tools to maintain productivity.
Source: https://www.infosecurity-magazine.com/news/chrome-browser-extensions-hijacked