In late December, a significant cyber threat was detected when Cyberhaven, a notable cybersecurity firm, fell victim to a phishing attack. The culprits targeted Chrome extension publishers via deceptive emails that feigned urgency, warning the recipients about potential removal from the Chrome Web Store due to policy violations. This cunning approach led to the unauthorized access of extension developers’ accounts, paving the way for the attackers to inject malicious code into these extensions.
Or Eshed, CEO of LayerX Security, highlighted the vulnerability, stating, “Browser extensions are the soft underbelly of web security.” He underscored the extensive permissions these extensions often require, accessing sensitive user data such as cookies and identity information.
The Scope of the Breach
The hacked extensions included widely-used tools such as AI assistants, VPN services, and various utility extensions designed to enhance browser functionality. Some notable names affected were:
- AI Assistant – ChatGPT and Gemini for Chrome
- Bard AI Chat Extension
- GPT 4 Summary with OpenAI
- Search Copilot AI Assistant for Chrome
- TinaMInd AI Assistant
- Wayin AI
- VPNCity
- Internxt VPN
This breach not only compromised the privacy of over 600,000 users but also exposed them to potential data theft, including cookie and token theft that could bypass web security measures.
Investigative Findings and Ongoing Threats
John Tuckner, founder of Secure Annex, provided insights into the investigation, revealing that the malicious code used in the Cyberhaven incident was linked to other compromised extensions. He discovered connections to domains that were registered much earlier, suggesting that this campaign might have been active long before it was uncovered.
The compromised extensions communicated with a command-and-control server, which facilitated further malicious activities such as downloading harmful configuration files and exfiltrating user data. Despite the removal of these malicious extensions from the Chrome Web Store, the danger persists. “As long as the compromised version of the extension is still live on the endpoint, hackers can still access it and exfiltrate data,” warned Or Eshed.
The Industry’s Response and Preventative Measures
The cybersecurity community has rallied to address this severe breach by enhancing the security measures surrounding browser extensions. Security experts emphasize the necessity for users and organizations to be vigilant about the extensions they install and to conduct regular audits of their digital tools.
Jamie Blasco, CTO of Nudge Security, pointed out that additional domains were discovered, all linked to the same IP address used by the attackers, indicating an extensive infrastructure set up for long-term data exploitation.
This incident serves as a stark reminder of the vulnerabilities inherent in the digital tools we often take for granted. It underscores the need for continuous vigilance and enhanced security protocols to protect user data from such sophisticated cyber threats. As we await further updates from ongoing investigations, the cybersecurity community remains on high alert, working to safeguard the integrity of our digital experience against an ever-evolving threat landscape.
