A new attack campaign targeted well-known Chrome browser extensions, resulting in at least 35 extensions being compromised and over 2.6 million users being exposed to data compromise and credential theft.

The attack targeted browser extension publishers in the Chrome Web Store via a phishing campaign and used their access permissions to inject malicious code into legitimate extensions to steal cookies and user access tokens.

The first company to shed light on the campaign was cybersecurity firm Cyberhaven, whose employee was the target of a phishing attack on December 24 that allowed threat actors to release a malicious version of the extension.

On December 27, Cyberhaven announced that a threat actor compromised its browser extension and injected malicious code to communicate with an external command and control (C&C) server on the cyberhavenext(.)pro domain, download additional configuration files, and access users exfiltrate data.

The phishing email, which purported to be from Google Chrome Web Store developer support, sought to create a false sense of urgency by claiming that their extension was in imminent danger of being removed from the extension store and a violation of the program guidelines for developers.

The recipient was also asked to click a link to accept the guidelines. He was then redirected to a page where he could grant permissions to a malicious OAuth application called “Privacy Policy Extension.”

“The attacker gained the necessary permissions through the malicious application (“Privacy Policy Extension”) and uploaded a malicious Chrome extension to the Chrome Web Store,” Cyberhaven said in a separate technical article. “After the usual Chrome Web Store security review process, the malicious extension was approved for publication.”

“Browser extensions are the weak underbelly of web security,” says Or Eshed, CEO of LayerX Security, which specializes in browser extension security. “Although we tend to think of browser extensions as harmless, in practice they are often granted broad permissions to sensitive user information such as cookies, access tokens, identity information, and more.

“Many organizations don’t even know what extensions they have installed on their endpoints and are unaware of the extent of their exposure.”

Jamie Blasco, CTO of SaaS security company Nudge Security, identified additional domains that resolve to the same IP address of the C&C server used in the Cyberhaven breach.

Further investigation has uncovered additional extensions (Google Sheets) suspected of being compromised, according to browser extension security platforms Secure Annex and Extension:

• AI Assistant – ChatGPT and Gemini for Chrome
• Bard AI Chat Extension
• GPT 4 summary with OpenAI
• Search for Copilot AI Assistant for Chrome
• TinaMINd AI assistant
• Wayin AI
• VPNCity
• Internxt VPN
• Vidnoz Flex video recorder
• VidHelper video downloader
• Bookmark favicon changer
• Castorus
• Uvoice
• Reading mode
• Parrot Conversations
• Prime
• Tackker – online keylogger tool
• AI Shop Buddy
• Sort by “Oldest.”
• Reward search machine
• ChatGPT Assistant – Smart Search
• Keyboard history recorder
• Email Hunter
• Visual effects for Google Meet
• Earny – Up to 20% cashback
• Where’s Cookie?
• Web Mirror
• ChatGPT app
• Hello AI
• Web3Password Manager
• JaCaptcha Assistant
• Bookmark favicon changer
• Proxy SwitchyOmega (V3)
• GraphQL network inspector
• ChatGPT for Google Meet
• GPT 4 summary with OpenAI

These additional compromised extensions indicate that Cyberhaven was not a one-off target, but rather part of a large-scale attack campaign targeting legitimate browser extensions.

Secure Annex founder John Tuckner told The Hacker News that there is a possibility that the campaign has been running since April 5, 2023, and likely even further back based on the registration dates of the domains used: nagofsg(.) com was registered in August 2022 and sclpfybn(.)com was registered in July 2021.

“I linked the same code that was present in the Cyberhaven attacks with related code (let’s say Code1) in an extension called ‘Reader Mode,'” Tuckner said. “The ‘Reader Mode’ code contained Cyberhaven attack code (Code1) and an additional indicator of compromise ‘sclpfybn(.)com’ with its own additional code (Code2).”

“Moving to this domain led me to the seven new extensions. One of these related extensions called “Rewards Search Automator” had (Code2) that masqueraded as “safe browsing” functionality but filtered out data.”

“’Rewards Search Automator’ also included masked ‘e-commerce’ functionality (Code3) with a new domain ‘tnagofsg(.)com’, which is functionally incredibly similar to ‘Safe-Browsing’. As I searched further on this domain, I found ‘Earny – “Up to 20% Cashback” which still contains the “E-Commerce” code (Code3) and was last updated on April 5, 2023.”

As for the compromised Cyberhaven add-on, analysis suggests that the malicious code targeted identity data and access tokens from Facebook accounts, primarily with the intent of filtering out users of Facebook ads.

It also included code for listening to mouse click events on the Facebook(.)com website, which looks for images that contain the substring “qr/show/code” in the src attribute every time a user clicks on a page, and if found, sends them to the C&C server. It is believed the intent was to scan for QR codes to bypass security controls such as two-factor authentication (2FA) requests.

User data collected by the compromised Cyberhaven browser extension (Source: Cyberhaven)

According to Cyberhaven, the malicious version of the browser extension was removed approximately 24 hours after it was released. Some of the other disclosed extensions have also already been updated or removed from the Chrome Web Store.

However, the fact that the extension has been removed from the Chrome Store doesn’t mean the notoriety is over, says Or Eshed. “As long as the compromised version of the extension is still active on the endpoint, hackers can continue to access it and exfiltrate data,” he says.

It has since also emerged that the presence of data collection code in some extensions was not the result of a compromise, but was likely inserted by the developers themselves as part of a monetization software development kit (SDK) that also secretly exfiltrated detailed browsing data.

“Before the Google Meet visual effects developer sold his extension to Karma, he tried to monetize it with this ‘ad blocking library,'” said security researcher Vladimir Palant. “The sales pitch doesn’t mention who is developing the library, but everything points to Urban VPN.”

At this point it is unclear who is behind the campaign and whether these compromises are related to it. The Hacker News has reached out to Google for further comment and we will update the story if we hear back.

(The story was updated after publication to revise the list of affected extensions and include comments from Secure Annex.)