© IE Online Media Services Pvt Ltd
Tags:
Journalism of Courage
A series of Google Chrome browser extensions have been compromised in what appears to be a large-scale hacking campaign, leading to the exposure of user data that could enable hackers to steal credentials and potentially bypass two-factor authentication (2FA) as well.
Cyberhaven, a cybersecurity firm, was the first to confirm that its browser extension had fallen victim to the cyber attack on December 24.
“The attacker gained requisite permissions via the malicious application (Privacy Policy Extension) and uploaded a malicious Chrome extension to the Chrome Web Store,” Howard Ting, CEO of Cyberhaven, said in a blog post on December 27.
“After the customary Chrome Web Store Security review process, the malicious extension was approved for publication,” he added.
Users download and install browser extensions on their web browser to customise their web-browsing experience. For instance, a wallpaper browser extension offers users a selection of high-quality images that can be chosen to be the background of a new page or tab. Cyberhaven’s Chrome extension allows users to monitor and secure client data across several web-based applications.
While the full scale of the cyber attack is not yet known, Secure Annex, a browser extension security platform, has identified at least 26 compromised extensions, including AI Assistant-ChatGPT and Gemini for Chrome, Bard AI Chat Extension, GPT 4 Summary with OpenAI, Search Copilot AI Assistant for Chrome, VPNCity, Internxt VPN, VidHelper Video Downloader, Bookmark Favicon Changer, Tackker-online keylogger tool, AI Shop Buddy, and ChatGPT Assistant-Smart Search, among others.
Currently, it is unclear if these security breaches are connected and who exactly is behind them. However, the sophistication of the attack campaign seems to indicate that it is not limited to Cyberhaven.
The publishers of browser extensions available on the Google Chrome Web Store were reportedly targeted via a phishing campaign.
Phishing is when bad actors send their targets fraudulent emails or point them towards fake websites that impersonate legitimate entities – like companies, banks, insurance firms, and government departments – to steal information.
In this case, the hackers reportedly sent a phishing email to Cyberhaven under the guise that it was sent from Google Chrome Web Store Developer Support. The email claimed that the firm’s browser extension will be removed from the Chrome Web Store since it had purportedly violated Google’s Developer Program Policies.
The phishing email further urged the recipient to click on a link in order to accept the policies. When they did, the recipient was instead redirected to a page that would grant permissions to a malicious OAuth application called “Privacy Policy Extension.”
OAuth stands for Open Authorisation. It is a widely adopted standard that is used to authorise secure access in the form of temporary tokens.
Once the hackers received access permissions, they reportedly injected malicious code into the legitimate Chrome browser extensions that would further enable them to steal session cookies and user access tokens.
“While the investigation is ongoing, our initial findings show the attacker was targeting logins to specific social media advertising and AI platforms,” Cyberhaven said.
The company also said it took down the compromised version of its browser extension from the Chrome Web Store after 24 hours. However, a few experts have pointed out that hackers can still access and exfiltrate user data if the compromised version of the browser extension is still active on the user’s end.
Google is yet to issue a public statement on the hacking campaign targeting Chrome browser extensions, and its support page mainly offers guidance for developers to secure their browser extensions from their end:
– Protect developer accounts: “If developers’ accounts are compromised, an attacker could push malicious code directly to all users. Protect these accounts by by enabling two-factor authentication, preferably with a security key.”
– Never use HTTP: “HTTPS should always be preferred, as it has built-in security circumventing most man-in-the-middle attacks.”
– Request minimal permissions: “Extensions should minimize their permissions by only registering APIs and websites they depend on. Limiting an extension’s privileges limits what a potential attacker can exploit.”
– Register and sanitise inputs: “Safeguard an extension from malicious scripts by limiting listeners to only what the extension is expecting, validating the senders of incoming data, and sanitizing all inputs.”
If you’ve installed a compromised browser extension, consider deleting it and then reinstalling it to ensure that you have the latest, potentially secure version. You could also run a full system scan with a trusted anti-virus software. This will help you to detect and remove any malware that may be affecting your browser.
