Hackers injected malicious code into multiple Chrome extensions this month, exploiting a phishing campaign to breach developer accounts. Cyberhaven, a cybersecurity company whose extension was compromised, confirmed the incident began on December 24. The attackers uploaded a modified version of Cyberhaven’s extension, targeting login credentials for social media advertising and AI platforms.
The breach started when a Cyberhaven employee fell victim to a phishing attack, giving attackers access to the company’s Chrome Web Store account. Once inside, the hackers deployed a tampered version of Cyberhaven’s browser extension. Howard Ting, Cyberhaven’s CEO, revealed in a blog post that the extension was compromised for less than an hour before being removed. Users with auto-updating browsers during that time were potentially exposed.
Cyberhaven communicated the incident to its customers through an email on December 26, obtained by TechCrunch. The company advised users to revoke and rotate their passwords, ensure their extension was updated to version 24.10.5 or newer, and review logs for suspicious activity. The email detailed how the malicious extension captured cookies, user IDs, and authenticated session data, adding a mouse click listener to assist attackers in bypassing two-factor authentication (2FA).
Reuters reports that this attack is part of a larger campaign targeting multiple Chrome extensions, including tools like ParrotTalks, Uvoice, and VPNCity. Jaime Blasco, CTO of Nudge Security, described the effort as an opportunistic attempt to harvest sensitive data at scale by compromising extensions related to artificial intelligence and VPN services.
Cyberhaven, which counts Motorola, Reddit, and Snowflake among its clients, acted swiftly to mitigate the breach by releasing a clean version of the extension. The company’s extension serves approximately 400,000 corporate users, amplifying the potential impact of the attack.
This campaign reportedly began as early as mid-December, with other extensions being affected weeks before the attack on Cyberhaven. These incidents highlight vulnerabilities in browser extensions, which often serve as essential tools for businesses and consumers alike.
Cybersecurity experts are urging developers to adopt advanced authentication methods and encouraging users to remain vigilant about extension updates and unusual account activity to reduce the risk of similar attacks.
This incident exposes persistent vulnerabilities in browser extensions, which are essential tools for personal and professional workflows. Developers must strengthen security measures, and users should stay vigilant about updates and monitor their accounts for suspicious activity. The attack also raises important questions about the adequacy of protections in commonly used digital tools, emphasizing the shared responsibility of companies and individuals to improve cybersecurity.
Featured Image courtesy of brightstars/Getty Images
Follow us for more tech news updates.
Source: https://digitalmarketreports.com/news/31767/hackers-use-chrome-extensions-to-steal-user-data/