- Tenable Announces the Passing of Chairman and CEO Amit Yoran
- The best mini Gaming PCs of 2025: Expert recommended
- iOS 18.2 was killing my iPhone's battery until I turned off this feature
- Linux filesystems: Ext4, Btrfs, XFS, ZFS and more
- I test smart home devices for a living, and this is my favorite smart thermostat
Dozens of Chrome Browser Extensions Hijacked by Data Thieves
Security researchers have warned users of Google Chrome extensions to be on their guard after uncovering a major campaign focused on data theft.
At least 36 compromised Chrome extensions have been detected to date, potentially exposing as many as 2.6 million end users, according to ExtensionTotal.
The campaign first came to light in late December, when the extension for cybersecurity startup Cyberhaven was hijacked, putting at risk its 400,000 users.
According to ExtensionTotal, a Cyberhaven admin was phished on December 24, after receiving an email stating that the firm’s extension violated Google’s policies and was in danger of being removed from the Chrome Web Store.
Read more on extension threats: Malicious ChatGPT Chrome Extension Hijacks Facebook Accounts
“Clicking on the email led the admin to a Google consent screen, requesting permission for an OAuth application named Privacy Policy Extension,” ExtensionTotal explained.
“This application was actually a tool controlled by the attacker. By granting permission, the admin unknowingly gave the attacker the ability to upload new versions of Cyberhaven’s Chrome extension to the Web Store.”
The hackers subsequently uploaded a malicious version of the extension designed to steal users’ passwords, cookies and other information that could enable account takeovers. The malicious code managed to bypass Google’s security checks.
Developers Beware
Security vendor SquareX said extensions are an increasingly popular way for threat actors to gain initial access, because most corporate IT teams don’t control what their users install. Even if they do, few IT admins monitor subsequent updates to an allow-listed extension, it added.
Additionally, large numbers of developers are easy to target, as their emails are often publicly listed on the Chrome Store for bug reporting, it added.
SquareX founder, Vivek Ramachandran, claimed his firm has seen similar attacks designed to steal data from apps like Google Drive and OneDrive, and warned that threat actors will get “more creative” still with future campaigns.
“Identity attacks targeting browser extensions similar to this OAuth attack will only become more prevalent as employees rely on more browser-based tools to be productive at work,” he argued.
“Companies need to remain vigilant and minimize their supply chain risk without hampering employee productivity by equipping them with the right browser native tools.”
Image credit: CHERRY.JUICE / Shutterstock.com
