The breach is believed to have been initiated through a phishing campaign targeting publishers of browser extensions on the Chrome Web Store
A significant hacking campaign has compromised several Google Chrome browser extensions, exposing user data and potentially allowing attackers to steal credentials and bypass two-factor authentication (2FA). Cyberhaven, a cybersecurity firm, was among the first to confirm that its extension fell victim to the breach on December 24.
According to Howard Ting, CEO of Cyberhaven, the attackers gained access through a malicious application named “Privacy Policy Extension.” In a blog post, Ting explained, “The attacker gained requisite permissions via the malicious application and uploaded a compromised Chrome extension to the Chrome Web Store. After the customary Chrome Web Store security review process, the malicious extension was approved for publication.”
How Attack Unfolded
The breach is believed to have been initiated through a phishing campaign targeting publishers of browser extensions on the Chrome Web Store. Hackers impersonated Google Chrome Web Store Developer Support in emails to victims, falsely claiming that their extensions violated Google’s Developer Program Policies.
The phishing email instructed recipients to click a link to accept updated policies, redirecting them instead to a page granting permissions to the malicious OAuth application, “Privacy Policy Extension.” Once permissions were granted, the attackers were able to upload compromised extensions to the Chrome Web Store.
Broader Implications
This breach highlights the vulnerabilities within widely used platforms like the Chrome Web Store, particularly in the review and approval processes for extensions. Cyberhaven’s compromised extension raises concerns about user data security, as malicious extensions can exfiltrate sensitive information, including passwords, potentially bypassing robust security measures such as 2FA.
Industry Response
The attack underscores the critical need for heightened vigilance among developers and users alike. Experts recommend that users verify the legitimacy of extensions and be cautious when responding to emails claiming to be from official platforms. Organisations are urged to adopt stricter protocols for app permissions and implement multi-layered security measures to mitigate such risks.
Google has yet to release an official statement regarding the incident, while cybersecurity professionals continue to investigate the extent of the breach and its potential impact on affected users.
