Massive Chrome Hack: 35 Extensions Compromised, Exposing 2.6 Million Users to Data Theft

Massive Chrome Hack: 35 Extensions Compromised, Exposing 2.6 Million Users to Data Theft

Chrome Extension Developers Targeted in Massive Phishing Campaign

A sophisticated phishing campaign has compromised at least 35 Chrome browser extensions, affecting approximately 2.6 million users. The attack, which began in March 2024 and intensified in December, specifically targeted extension developers, including those from the cybersecurity firm Cyberhaven.

Attack Methodology
The attackers employed a deceptive OAuth attack chain, sending phishing emails that appeared to come from Google. Using domains like supportchromestore.com and forextensions.com, they claimed violations of Chrome Web Store policies. Developers who clicked the “Go To Policy” button were directed to a legitimate Google login page for a malicious OAuth application called “Privacy Policy Extension.”

Impact and Scope
– 35 confirmed compromised extensions
– Approximately 2.6 million affected users
– Multiple domains pre-registered for targeted extensions
– Campaign active since March 2024

Malicious Modifications
Once access was gained, attackers modified extensions by adding:
– worker.js
– content.js
These files contained code designed to steal Facebook data, including:
– User IDs
– Access tokens
– Account information
– Ad account details
– Business account data

Security Implications
The attack bypassed multi-factor authentication through OAuth authorization flows. The malicious code also implemented sophisticated mechanisms to capture Facebook 2FA and CAPTCHA information, potentially enabling account hijacking.

The campaign primarily targeted Facebook business accounts, likely for financial fraud, disinformation campaigns, or access trading in underground markets.

Share This Article