Several Chrome Browser Extensions Found to Contain Malicious Code: Stealing User Data
Several Chrome Browser Extensions Found to Contain Malicious Code: Stealing User Data
- Why Enterprise RAID Rebuilding Succeeds Where Consumer Arrays Fail?
- Linus Torvalds Rejects MMC Subsystem Updates for Linux 7.0: “Complete Garbage”
- The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
- How Close Are Quantum Computers to Breaking RSA-2048?
- Why Windows 10 Users Are Flocking to Zorin OS 18 Instead of Linux Mint?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Several Chrome Browser Extensions Found to Contain Malicious Code: Stealing User Data
December 29—According to a report by BleepingComputer, at least five Chrome browser extensions have recently been compromised through a coordinated attack.
Hackers injected malicious code into these extensions, allowing them to steal sensitive user information.
Cyberhaven, a data loss prevention company, first disclosed this security breach on December 24, explaining that its Google Chrome Web Store management account fell victim to a phishing attack.
Malicious Version Released Through Account Compromise
Cyberhaven serves high-profile clients such as Snowflake, Motorola, Canon, Reddit, AmeriHealth, Cooley, IVP, Navan, DBS Bank, Upstart, and Kirkland & Ellis. The attackers hijacked an account belonging to Cyberhaven’s employees to release a malicious version of the Cyberhaven Chrome extension (version 24.10.4). This version contained code that exfiltrated authenticated session data and cookies to a domain controlled by the attackers: cyberhavenext[.]pro.
After detecting the breach, Cyberhaven’s internal security team removed the compromised extension within an hour. A clean, updated version (24.10.5) was made available on December 26. Cyberhaven advised users to upgrade to the latest version immediately and to take the following additional steps:
- Revoke all non-FIDOv2 passwords.
- Rotate all API tokens.
- Review browser logs for signs of malicious activity.
Investigation Uncovers Additional Affected Extensions
Following Cyberhaven’s disclosure, Jaime Blasco, a researcher at Nudge Security, conducted an in-depth investigation. By analyzing the attackers’ IP address and domain registrations, Blasco uncovered evidence that malicious code fragments had been simultaneously injected into four other Chrome extensions, including Uvoice and ParrotTalks. While other potential victims were identified, only the aforementioned four extensions have been confirmed to contain the malicious code.
Recommendations for Users
Users are strongly advised to:
- Remove any potentially compromised extensions from their browser.
- Upgrade to secure versions released after December 26 if such updates are available.
- If uncertain whether the extension developers have addressed the security issues, consider:
- Uninstalling the extension.
- Resetting passwords for critical accounts.
- Clearing browser data.
- Restoring the browser to its original default settings.
Remaining vigilant and updating to the latest versions of extensions is crucial to mitigate risks associated with such attacks.
