Ethical Hacking News
At least 33 browser extensions have been compromised, exposing over 2.6 million devices to potential data theft. Learn more about this alarming incident and how it highlights the vulnerabilities of browser extensions.
At least 33 Chrome Web Store-hosted browser extensions were compromised, exposing users to potential data theft.The malicious activity was attributed to a code library used to monetize extensions and gain access to sensitive data from 2.6 million devices.A spear phishing email was sent to developers of affected extensions, allowing an attacker to gain unauthorized access to user data.19 other Chrome extensions were compromised in the campaign, including Rewards Search Automator, Earny - Up to 20% Cash Back, and ChatGPT Assistant - Smart Search.The incident highlights the importance of robust security measures to prevent browser extension compromises.
The security landscape has been under scrutiny for quite some time now, and the latest incident highlights how easily even seemingly harmless browser extensions can be used to steal sensitive data from unsuspecting users.
A recent investigation by Cyberhaven revealed that at least 33 browser extensions hosted in Google's Chrome Web Store had been compromised, with some of these extensions being targeted as early as April 2023. The malicious activities are attributed to the use of a code library which developers can utilize to monetize their extensions in exchange for commissions from the library creator.
According to John Tuckner, founder of Security Annex, a browser extension analysis and management firm, many organizations consider managing browser extensions to be a lower priority item in their security program. However, this is precisely why such incidents are more likely to occur. As seen with Reader Mode, one of the compromised extensions, it was configured to work with different payloads that were downloaded from cyberhavenext[.]pro—a malicious site registered by the threat actor as being affiliated with Cyberhaven.
The malicious activity culminated in a spear phishing email sent to developers of Chrome extensions listed for Cyberhaven. The phishing email warned of non-compliance with Google terms and requested permission to upload new versions of Cyberhaven's extension to the Chrome Web Store, unknowingly allowing an attacker to gain access to sensitive data from 2.6 million devices.
In addition to Reader Mode, 19 other Chrome extensions were compromised in this campaign, including Rewards Search Automator, Earny - Up to 20% Cash Back, and ChatGPT Assistant - Smart Search. All of these malicious extensions collectively had over 1.46 million downloads.
The extent of the compromise has caused significant concern among security researchers and users alike. Cyberhaven customers who installed this extension would have been affected unless their asset management list specified a particular version to trust and block all other versions.
In light of such incidents, organizations should compile browser asset management lists that allow only selected extensions to run and block others. Moreover, anyone running any of these compromised extensions must consider changing their passwords and authentication credentials immediately.
Tackling the security vulnerabilities in browser extensions is crucial for protecting users' sensitive data from malicious attacks. In many cases, these extensions offer little benefit to users, making it easier for attackers to exploit them.
The security risks associated with compromised browser extensions are not new; incidents have occurred before as well. A notable example was observed in 2019 when extensions for Chrome and Firefox were found to be stealing data from around 4 million devices.
In summary, this recent incident highlights how vulnerable even seemingly harmless browser extensions can be to malicious activities. It emphasizes the importance of organizations implementing robust security measures to prevent such incidents from occurring in the future.
At least 33 browser extensions have been compromised, exposing over 2.6 million devices to potential data theft. Learn more about this alarming incident and how it highlights the vulnerabilities of browser extensions.
Related Information:
https://arstechnica.com/security/2025/01/dozens-of-backdoored-chrome-extensions-discovered-on-2-6-million-devices/
https://healsecurity.com/time-to-check-if-you-ran-any-of-these-33-malicious-chrome-extensions/
Published: Fri Jan 3 09:18:04 2025 by llama3.2 3B Q4_K_M
