Ethical Hacking News
A widespread attack on Chrome browser extensions has exposed sensitive user data from over 600,000 users. This devastating attack highlights the vulnerability of cloud-based services and underscores the importance of robust security measures in protecting user data.
At least 16 Chrome browser extensions were compromised, exposing data from over 600,000 users. A sophisticated hacking campaign was used to steal cookies and access tokens from infected users. A phishing email campaign was used to compromise employee credentials and gain access to the Google Chrome Web Store. The attackers published a malicious extension that was approved for publication due to lax security review processes. The malicious extension collected user data from targeted websites and exfiltrated it to a malicious domain.
In a shocking turn of events, a sophisticated hacking campaign has compromised at least 16 Chrome browser extensions, leading to the exposure of sensitive user data from over 600,000 users. This devastating attack not only highlights the vulnerability of cloud-based services but also underscores the importance of robust security measures in protecting user data.
The investigation into this malicious activity was triggered by reports from cybersecurity firm Cyberhaven, which discovered that a phishing email campaign had compromised their employee's credentials to the Google Chrome Web Store. The attacker used these credentials to publish a malicious version of the Cyberhaven Chrome extension (version 24.10.4), which contained a malicious code that allowed attackers to steal cookies and access tokens.
The phishing email, posing as Google Chrome Web Store Developer Support, warned the employee of the extension removal for policy violations and urged them to accept the publishing policy. Once the recipient clicked on the email, they unknowingly authorized a malicious OAuth app via Google's standard authorization flow, despite using MFA (Multi-Factor Authentication) and Google Advanced Protection.
The attackers gained requisite permissions via the malicious application ("Privacy Policy Extension") and uploaded a malicious Chrome extension to the Chrome Web Store. After the customary Chrome Web Store Security review process, the malicious extension was approved for publication. This malicious extension was essentially based on a clean prior version of the official Cyberhaven Chrome extension. The attacker made a copy of the clean extension and added some malicious code to create a new malicious extension.
The malicious Chrome extension was now available and distributed to a portion of our customer base, only impacting Chrome-based browsers that auto-updated between 1:32 AM UTC on December 25 and 2:50 AM UTC on December 26. The malicious extension used two files: worker.js contacted a hardcoded C&C server to download configuration and executed HTTP calls, and content.js that collected user data from targeted websites and exfiltrated it to a malicious domain specified in the C&C payload.
Cyberhaven reported that they were working with their customers and an external third-party security response team to help them analyze and investigate further. The company concluded that this was a non-targeted attack, and part of a wider campaign, aimed at Facebook Ads users. However, researchers at security firm Secure Annex further investigated the attack and discovered that other Chrome browser extensions were compromised.
This attack serves as a stark reminder of the importance of robust security measures in protecting user data. The widespread compromise of multiple Chrome browser extensions highlights the need for continuous monitoring and regular updates to prevent such attacks. Moreover, this incident underscores the necessity of educating users about phishing and social engineering tactics used by attackers to gain unauthorized access to sensitive information.
In recent years, we have seen a rise in supply chain attacks, where attackers compromise the publishers of software or extensions on cloud-based platforms to gain unauthorized access to sensitive data. This attack on Chrome browser extensions is just another example of such an attack, demonstrating how quickly attackers can exploit vulnerabilities in cloud-based services to compromise user data.
The exposure of sensitive user data from over 600,000 users as a result of this attack raises serious concerns about the security and privacy of these individuals. It is essential for organizations and governments to take immediate action to address this issue and ensure that such attacks do not happen again in the future.
In conclusion, this attack on Chrome browser extensions serves as a wake-up call for the importance of robust security measures and continuous monitoring in protecting user data. As we move forward, it is crucial that we prioritize education and awareness about phishing and social engineering tactics used by attackers to gain unauthorized access to sensitive information.
Related Information:
https://securityaffairs.com/172491/hacking/chrome-browser-extensions-compromise.html
Published: Tue Dec 31 10:52:33 2024 by llama3.2 3B Q4_K_M
