Cyberattackers Seize Control of 16 Chrome Extensions, 600,000 Users Data at Risk

A sophisticated cyberattack campaign that commenced in mid-December has compromised at least 16 Chrome browser extensions, putting over 600,000 users at risk of data theft. Cyberhaven, a California-based data protection firm, first reported this breach, which revealed that a phishing attack on Christmas Eve allowed hackers to upload a malicious version of their Chrome extension (version 24.10.4) to the Chrome Web Store.

The malicious code embedded in the compromised extensions was designed to capture sensitive information such as passwords and session tokens, primarily targeting users involved with social media advertising and AI platforms. Jaime Blasco from Nudge Security noted indications of other affected extensions beyond Cyberhaven’s, as multiple domains linked to the same IP address were created around the same time as the attack.

Read More: Cyber-Physical Systems: Integration and Impact

Affected Extensions

The attack’s scope appears broad, affecting various types of extensions related to VPNs, AI, productivity tools, and video downloaders. The malicious code was active for about 25 hours, from December 24 to December 26, impacting only those Chrome installations that had auto-updates enabled during this window. Cyberhaven’s internal security team detected the intrusion on Christmas Day and quickly removed the malicious extension from the store, replacing it with a secure version (24.10.5). Here is the list of affected extensions.

Category	Extensions
Productivity	Bookmark Favicon Changer, Castorus, Primus, Parrot Talks, Reader Mode, Uvoice, Vindoz Flex Video Recorder, VidHelper Video Downloader
AI	AI Assistant: ChatGPT and Gemini, Bard AI Chat Extension, GPT 4 Summary with OpenAI, Search Copilot AI Assistant for Chrome, TinaMInd AI AssistantWayin AI
VPN	Internxt VPN, VPNCity

Response Measures

In response to the breach, Cyberhaven has taken several actions:

• Notified affected customers on December 26.
• Engaged Mandiant, an external incident response firm, for forensic analysis.
• Implement additional security measures to prevent future incidents.
• Advised customers to update their extensions, change passwords, and monitor logs for suspicious activity.

Cyberhaven indicated that this attack seemed generic rather than targeted at specific companies, suggesting a widespread phishing scheme aimed at users engaged with Facebook advertising.

Implications and Security Concerns

This incident highlights significant vulnerabilities associated with browser extensions, which are often perceived as benign but can be exploited due to their extensive permissions. The ongoing investigation seeks to determine the full extent of the breach and identify those responsible for this extensive campaign. As browser extensions continue to be a soft target for cybercriminals, both developers and users are urged to remain vigilant about security practices, ensuring regular updates and sourcing extensions from reputable providers.