Cyberattack Hits Legit Chrome Extensions, Exposes Sensitive User Data

A coordinated cyberattack compromised at least five Google Chrome extensions, injecting malicious code designed to steal sensitive user information, as reported by Bleeping Computer.

The breach was first disclosed on December 24 by Cyberhaven, a data loss prevention company, which alerted its customers after a phishing attack successfully targeted an administrator account for the Chrome Web Store.

Our team has confirmed a malicious cyberattack that occurred on Christmas Eve, affecting Cyberhaven’s Chrome extension. Here’s our post about the incident and the steps we’re taking: https://t.co/VTBC73eWda

Our security team is available 24/7 to assist affected customers and…

— Cyberhaven (@CyberhavenInc) December 27, 2024

Bleeping Computer explains that the attack enabled the hacker to hijack the admin’s account and publish a malicious version of the Cyberhaven extension. This version included code that could steal authenticated sessions and cookies, sending them to the attacker’s domain.

Among Cyberhaven’s clients affected by the breach are major companies such as Snowflake, Motorola, Canon, Reddit, and Kirkland & Ellis. Cyberhaven’s internal security team removed the malicious extension within an hour of detection, as reported by Bleeping Computer.

Cyberhaven attributes the attack to a phishing email, stating in a separate technical analysis that the code seemed to be specifically designed to target Facebook Ads accounts.

TechCrunch noted that the Chrome Web Store lists approximately 400,000 corporate users for the Cyberhaven extension. When TechCrunch inquired, Cyberhaven declined to disclose the number of affected customers it had notified about the breach.

In response, a clean version of the extension was published on December 26. Cyberhaven advised its users to upgrade to this latest version and to take additional precautions, such as verifying that the extension has been updated to version 24.10.5 or newer.

Additionally, Cyberhaven advises to revoke and rotate any passwords that do not use FIDOv2, and review your browser logs for any suspicious activity.

Bleeping Computer notes that the incident extended beyond Cyberhaven’s extension, with further investigations revealing that several other Chrome extensions were also affected. Nudge Security researcher Jaime Blasco traced the attack’s origins by analyzing the attacker’s IP addresses and domains.

Regarding the Cyberhaven chrome extension compromise I have reasons to believe there are other extensions affected. Pivoting by the ip address there are more domains created within the same time range resolving to the same ip address as cyberhavenext[.]pro (cont)

— Jaime Blasco (@jaimeblascob) December 27, 2024

Blasco confirmed that the malicious code snippet was injected into several extensions around the same time, as reported by Bleeping Computer.

These include Internxt VPN, which has 10,000 users, VPNCity, a privacy-focused VPN service with 50,000 users, Uvoice, a rewards-based service with 40,000 users, and ParrotTalks, a note-taking tool with 40,000 users.

Bleeping Computer says that while Blasco identified additional potential victims, only the extensions listed above have been confirmed to contain the malicious code. Users of these affected extensions are urged to either remove them or ensure they update to the safe versions released after December 26.

For those uncertain of the safety of their extensions, it’s recommended to uninstall the affected extensions, reset important passwords, clear browser data, and restore browser settings to their defaults.