In a recent cyberattack, threat actors compromised 16 legitimate Chrome browser extensions, exposing over 600,000 users to data theft and credential exposure.

Attack Vector and Methodology

The attackers employed phishing campaigns targeting extension publishers, masquerading as official communications from Google Chrome Web Store Developer Support. These deceptive emails falsely claimed policy violations, urging recipients to grant permissions to a malicious OAuth application named "Privacy Policy Extension." Once access was obtained, the threat actors injected malicious code into the extensions, enabling the theft of cookies and user access tokens.

Notable Compromised Extensions

Among the affected extensions were:

• Cyberhaven Data Loss Prevention Extension: Compromised on December 24, with a malicious version active for approximately 25 hours before remediation.

• Internxt VPN: A virtual private network service extension.

• VPNCity: Another VPN service provider's extension.

• Uvoice: An extension associated with voice services.

• ParrotTalks: Details about this extension are limited.

Indicators of Compromise (IoCs)

The malicious extensions communicated with a command-and-control (C&C) server hosted on the domain cyberhavenext[.]pro. Security researchers identified additional domains resolving to the same IP address, indicating a broader network of compromised extensions.

Recommendations for Users

Users who have installed any of the compromised extensions should:

1. Uninstall the Affected Extensions: Remove the compromised extensions immediately to prevent further data exposure.

2. Change Credentials: Update passwords for accounts that may have been accessed during the period the malicious extensions were active.

3. Monitor Account Activity: Keep an eye on account statements and activities for any unauthorized actions.

Recommendations for Developers

Extension developers are advised to:

• Enhance Security Measures: Implement robust security protocols to safeguard against phishing attacks and unauthorized access.

• Regularly Audit Extensions: Conduct frequent security audits of extensions to detect and address vulnerabilities promptly.

Conclusion

This incident underscores the critical need for vigilance among both users and developers regarding browser extension security. Ensuring the integrity of extensions and being cautious of unexpected communications can significantly mitigate the risk of such compromises.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.