A sophisticated attack campaign targeting Chrome browser extensions has compromised at least 16 extensions, potentially exposing more than 600,000 users to data theft and security breaches. The attackers employed phishing tactics to target extension publishers on the Chrome Web Store, subsequently injecting malicious code to steal cookies and user access tokens.
Cyberhaven, a cybersecurity firm, was the first known victim, discovering on December 27 that their browser extension had been compromised. The malicious code communicated with a Command and Control (C&C) server at cyberhavenext[.]pro, downloading configuration files and extracting user data.
Affected Extensions Include:
– AI Assistant – ChatGPT and Gemini for Chrome
– Bard AI Chat Extension
– GPT 4 Summary with OpenAI
– Several VPN and video-related extensions
– Various AI assistants and productivity tools
The attack specifically targeted Facebook business account credentials and access tokens. While Cyberhaven removed the compromised version within 24 hours, and other affected extensions have been updated or removed from the Chrome Web Store, users with installed compromised versions remain at risk.
Or Eshed, CEO of LayerX Security, warns that browser extensions represent a significant security vulnerability, often having extensive permissions to sensitive user information. Many organizations lack awareness of their installed extensions and associated risks.
The incident highlights the growing need for organizations to strengthen their browser extension security measures, as the sophisticated nature of this attack campaign represents an escalating threat in web security.