This Google Chrome browser extension attack compromised authentication cookies.
Hackers don’t take holidays, as has been proven by a series of compromises of Google Chrome browser extensions dating back to mid-December and continuing through the seasonal break would attest to. Here’s everything you need to know about the ongoing Google Chrome two-factor authentication bypass attacks.
The Latest Google Chrome Browser Extension Attacks Explained
As reported Dec. 27 by Reuters, “hackers have compromised several different companies’ Chrome browser extensions in a series of intrusions.” That threat actors are using Chrome extensions as an attack methodology is nothing new, but the extent of this latest campaign would appear to show how determined hackers are to steal session cookies and bypass your two-factor authentication protections.
Although being just one part of what would appear to be a coordinated and wide-reaching campaign to target Chrome extensions, the attack against security company Cyberhaven is worth looking at as it both explains the potential dangers of such attacks and provides an insight into how quickly responding to them is key.
“Our team has confirmed a malicious cyberattack that occurred on Christmas Eve, affecting Cyberhaven’s Chrome extension,” Howard Ting, CEO of the data attack detection and incident response company, said in a security alert posting, “We want to share the full details of the incident and steps we’re taking to protect our customers and mitigate any damage.”
The Cyberhaven Chrome Extension Attack
The attack against Cyberhaven customers started Dec. 24 when a phishing threat successfully managed to compromise an employee. Importantly, this included a credentials compromise that enabled the attacker to gain access to the Google Chrome Web Store. “The attacker used these credentials to publish a malicious version of our Chrome extension,” Ting confirmed. The malicious extension wasn’t discovered until late on Dec. 25 after which it was removed within 60 minutes.
A preliminary investigation into the attack revealed that the initial access vector was by way of a phishing email sent to the registered support email for Cyberhaven’s Chrome extension, targeting the developers. Cyberhaven has made this email available so as to warn others of what such an initial attack looks like.
The phishing email that started the Cyberg=haven extension attack
When the victim clicked on the link, they found themselves within the Google authorization flow for “adding a malicious OAUTH Google application called Privacy Policy Extension,” Cyberhaven said. This was hosted on Google.com and part of the standard process for granting access to third-party Google applications that, in this case, inadvertently authorized a malicious application. “The employee had Google Advanced Protection enabled and had MFA covering his account,” Cyberhaven said. No multi-factor authentication prompt was received and the employee’s Google credentials were not compromised in the attack. A malicious extension (24.10.4) based on a clean prior version of the official Cyberhaven Chrome extension was then uploaded to the Chrome Store.
Chrome Extension 2FA Bypass Attack—Impact, Scope And Response
According to Ting, the impact and scope of the Cyberhaven Chrome extension attacks as follows:
The only version of the Chrome extension impacted was 24.10.4, with the malicious code only being active between Christmas Day and Boxing Day. Only customers using Chrome-based browsers that auto-updated during the period of the attack would have been affected.
For those browsers that were running the compromised extension, however, Cyberhaven has confirmed that it “could have exfiltrated cookies and authenticated sessions for certain targeted websites.” The initial investigation suggests that the targeted logins were social media advertising and AI platforms.
“Our investigation has confirmed that no other Cyberhaven systems, including our CI/CD processes and code signing keys, were compromised,” Ting said.
Affected customers were notified by Cyberhaven, along with those not known to be impacted in the cause of complete transparency. The malicious Chrome extension was removed from the Chrome Web Store, and a secure version, 24.10.5, was automatically deployed. “For customers running version 24.10.4 of our Chrome extension during the affected period,” Ting said, “we strongly recommend verifying your extension has updated to version 24.10.5 or newer.” I have approached Google for a statement.