Chrome Extension Security Breach Exposes Millions of Users to Potential Data Theft

A widespread cybersecurity incident has come to light, revealing that multiple Chrome extensions have been compromised, potentially exposing millions of users to data theft and unauthorized access. The breach, initially discovered through Cyberhaven's security investigation, highlights the vulnerability of browser extensions to sophisticated cyber attacks.

The attack targeted Chrome extension developers through a sophisticated phishing campaign, allowing threat actors to inject malicious code into legitimate extensions. On December 24, Cyberhaven became one of the first confirmed victims when a phishing email successfully compromised an employee's Google Chrome Web Store administrator account.

The malicious extension (version 24.10.4) was carefully crafted to steal sensitive user information, including authentication sessions and cookies. The attackers deployed a command-and-control (C&C) server at cyberhavenext[.]pro, enabling them to exfiltrate user data from infected browsers. Cyberhaven's security team detected and removed the malicious package within an hour, quickly publishing a clean version of the extension.

Subsequent investigations by cybersecurity researchers revealed the breach was part of a larger, coordinated attack methodology affecting dozens of Chrome extensions. Researchers from Nudge Security and Secure Annex identified approximately 35 compromised extensions, potentially impacting over 2.6 million users across various platforms.

The attack primarily targeted specific types of extensions, including VPN services, AI assistants, productivity tools, and browser utilities. Notable compromised extensions included Internxt VPN, VPNCity, AI Shop Buddy, and various ChatGPT-related extensions. The malicious code was designed to collect user data, with a particular focus on Facebook advertising accounts.

Cybersecurity experts warn that the implications of such breaches extend far beyond immediate data theft. Or Eshed, CEO of LayerX Security, highlighted that browser extensions are often granted extensive permissions to sensitive user information, making them a critical security vulnerability.

The attack methodology involved a carefully orchestrated phishing approach. Threat actors sent emails impersonating Google Chrome Web Store Developer Support, creating a false sense of urgency about potential extension removal. Recipients were directed to a malicious OAuth application named "Privacy Policy Extension," which granted attackers the necessary permissions to publish compromised extensions.

Users are advised to take immediate precautions, including:

While Google has not yet provided comprehensive comments on the widespread breach, the incident underscores the critical need for enhanced security measures in browser extension ecosystems. Cybersecurity researchers continue to investigate the full scope and origin of the attack, with preliminary findings suggesting a coordinated campaign potentially targeting specific user demographics.

The incident serves as a stark reminder of the ongoing challenges in maintaining digital security and the importance of vigilant user behavior in protecting personal information online.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: Here are the 5 most contextually relevant blog posts:

• Two Malicious PyPI Python Packages Uncovered Stealing Sensitive User Data

• Hackers Steal 390000 WordPress Credentials Through Malicious GitHub Repos

• Malicious Apps on Play Store Stealing User Data Exposed

• LottieFiles' 'lottie-player' NPM Package Compromised in Supply Chain Attack

• Solana's Web3.js Library Hit by Major Supply Chain Attack