Hackers Hijacked Chrome Extensions to Inject Malicious Code



Introduction

In recent cybersecurity news, hackers have infiltrated Chrome extensions, compromising over 600,000 users. A sophisticated attack targeted at least 16 popular extensions has raised alarms regarding the vulnerability of browser extensions, which are often trusted yet can be exploited for data theft. The attack was discovered in late December 2024 and is linked to a broader phishing campaign that gave cybercriminals access to developers' accounts on the Chrome Web Store. These breaches highlight the growing threat to users' sensitive data and privacy through seemingly harmless browser add-ons.

Understanding the Attack on Chrome Extensions

Cybercriminals employed a well-crafted phishing campaign to compromise several well-known Chrome extensions, which are small programs that enhance the functionality of the browser. The attackers targeted developers of these extensions, using phishing emails to trick them into giving up their credentials. With this access, they were able to inject malicious code into legitimate extensions, which were then made available on the Chrome Web Store.

The Scope of the Breach

The cyberattack affected over 600,000 users worldwide, with the compromised extensions stealing sensitive data such as cookies and access tokens. The attack primarily targeted business accounts, particularly those linked to social media advertising platforms and AI tools. The first known victim was Cyberhaven, a data protection firm based in California. On Christmas Eve 2024, one of their employees was tricked into clicking a malicious link that granted hackers access to their developer account.

How the Hackers Gained Access

The attack began with a phishing email that appeared to come from the Chrome Web Store Developer Support team. The email claimed that an extension was at risk of being removed due to a policy violation, urging the recipient to click a link to resolve the issue. This link redirected the developer to a fake page that prompted them to authorize a malicious OAuth application named “Privacy Policy Extension.” Once the permissions were granted, the attackers gained control and uploaded a version of the Cyberhaven extension with malicious code.

Malicious Code and Its Impact

Once published, the compromised extensions communicated with a remote server controlled by the hackers. This server was responsible for receiving and transmitting stolen data, such as cookies and user session tokens. The malicious code was designed to exfiltrate sensitive information and send it back to the cybercriminals, giving them access to Facebook business accounts, AI platforms, and other valuable targets.

The Extent of Affected Extensions

While Cyberhaven was the first to discover the breach, further investigation revealed that other popular Chrome extensions had also been compromised. These included AI-related extensions like “AI Assistant – ChatGPT and Gemini for Chrome” and “Bard AI Chat Extension,” VPN tools such as “VPNCity” and “Internxt VPN,” and productivity extensions like “VidHelper Video Downloader” and “Reader Mode.” These extensions spanned multiple categories, showing that the attack was both opportunistic and widespread.

Timeline of the Attack

The malicious code was active for approximately 25 hours, from December 24 to December 26, 2024. During this period, any Chrome installations that automatically updated their extensions were vulnerable to the attack. Cyberhaven detected the breach on Christmas Day and quickly removed the malicious extension

the permissions granted to extensions are often broad, allowing them to operate without strict oversight. This makes them a prime target for hackers who exploit these permissions to infiltrate systems and steal sensitive data.

The Role of Google in Addressing the Issue

Once Cyberhaven detected the malicious extension and removed it, Google took swift action. However, security experts emphasize that the presence of the compromised extension on user devices for 24 hours poses a significant risk. Even after the extension was removed from the Chrome Web Store, users who had already updated their browsers with the compromised extension remained vulnerable to continued data exfiltration. This highlights the challenges of securing browser extensions once they have been published and downloaded by users.

Why Was Cyberhaven Targeted?

Cyberhaven’s extension was likely targeted due to the nature of the company’s business. As a data protection company, it provides services to businesses that store and process sensitive information. This made it an appealing target for cybercriminals seeking access to corporate accounts, especially in the advertising and AI industries. The attackers were able to steal user credentials, which could then be used for malicious activities, such as unauthorized access to social media accounts or data manipulation.

The Broader Campaign: Multiple Extensions Affected

As cybersecurity experts continued their investigations, more extensions were discovered to be part of the same attack campaign. The malware was injected into a wide range of extensions across different categories. These included productivity tools, video downloaders, AI assistants, and even extensions offering cashback deals. The broad selection of affected extensions indicates that the attackers were casting a wide net, hoping to maximize the number of compromised users.

How Users Can Protect Themselves

In the wake of the breach, users are advised to take immediate steps to protect their data. This includes updating Chrome extensions to the latest versions, reviewing installed extensions to ensure they are from reputable sources, and being cautious about granting permissions to new or unfamiliar extensions. Users should also rotate passwords, particularly for accounts linked to social media or business platforms, and monitor their activity for any signs of suspicious behavior.

The Importance of Regular Updates and Vetting Extensions

This breach underscores the importance of regularly updating browser extensions and vetting their sources. While the Chrome Web Store conducts security reviews for new extensions, these measures are not foolproof. Developers must implement strong security practices, including periodic code audits, and ensure that they are using multi-factor authentication and other protective measures to safeguard their developer accounts.

Lessons for Extension Developers and Users

For extension developers, this attack serves as a wake-up call to prioritize security in their code and in the permissions they request. They must be vigilant against phishing attempts and implement safeguards to prevent unauthorized access to their accounts. For users, the attack highlights the need for greater caution when installing or updating extensions. It's crucial to scrutinize the permissions requested by extensions and avoid installing those that ask for unnecessary access to sensitive data.

Conclusion: A Wake-Up Call for Browser Security

This attack serves as a critical reminder of the vulnerabilities associated with browser extensions. While these tools enhance our browsing experience, they also present significant security risks if not properly managed. Both users and developers must adopt a more proactive approach to extension security, ensuring that they are continually updated, carefully monitored, and sourced from reputable developers. The Cyberhaven breach, and the subsequent exposure of other extensions, should serve as a catalyst for broader industry discussions on how to better secure browser extensions against evolving cyber threats.

FAQs

1. How do hackers compromise Chrome extensions?
Hackers often use phishing campaigns to gain access to developers' accounts on the Chrome Web Store. Once inside, they can inject malicious code into legitimate extensions, which is then distributed to users.

2. How can I tell if my Chrome extension has been compromised?
Check for unusual behavior in your browser, such as slow performance, unexpected pop-ups, or unauthorized actions in your online accounts. Ensure that all extensions are updated to the latest version, and uninstall any suspicious ones.

3. What should I do if my account has been compromised through a malicious extension?
Immediately update your passwords, enable multi-factor authentication, and review your account activity for any signs of suspicious behavior. It's also important to remove the compromised extension and report it to the appropriate authorities.

4. Are all Chrome extensions vulnerable to this kind of attack?
While most extensions are safe, any extension that requires extensive permissions, such as access to cookies or identity information, can be vulnerable if compromised. Always install extensions from trusted sources and carefully review the permissions they request.

5. Can Google prevent these types of attacks?
Google has taken steps to secure the Chrome Web Store by conducting security reviews for extensions. However, this attack shows that more comprehensive measures are needed, such as better monitoring for suspicious developer activity and improved extension vetting.

Source: Google News

Read more blogs: Alitech Blog

www.hostingbyalitech.com

www.patriotsengineering.com

www.engineer.org.pk

Tags : Chrome extension security, malicious code in Chrome extensions, phishing attack Chrome extensions, data theft from Chrome extensions, compromised browser extensions, Cyberhaven security breach, protecting browser extensions, Chrome Web Store phishing attack, security risks browser extensions, hackers hijack Chrome extensions, Chrome extension data exposure, securing Chrome extensions, preventing extension vulnerabilities, malicious extensions data theft, cybersecurity browser extensions

Posted in News on Dec 30, 2024



AI Wins Another Nobel: DeepMind’s Hassabis and Jumper Awarded for AlphaFold Breakthrough in Chemistry

Posted on Oct 10, 2024

The 2024 Nobel Prize in Chemistry marked a groundbreaking moment, as artificial intelligence once again took center stage. This time, the honor went to Demis Hassabis, co-founder of Google DeepMind, and John Jumper, Senior Research Scientist at the same institution, for their revolutionary AI system, AlphaFold. Alongside them was David Baker from the University of Washington, whose work in protein design complemented the AI-driven breakthroughs. This prestigious award recognized their joint contributions to predicting and developing new proteins, a breakthrough that is already changing the world of biology and chemistry.



Green Web Hosting: Eco-Friendly Solutions for a Sustainable Future

Posted in Uncategorized on Jul 22, 2024

Discover the benefits of green web hosting and how it can contribute to a more sustainable future. Green web hosting focuses on using energy-efficient technologies, renewable energy sources, and sustainable practices to minimize environmental impact. Learn why choosing an eco-friendly web host not only supports corporate social responsibility but also helps in reducing your carbon footprint. Explore how to select the right green web hosting provider and make a positive difference with your online presence.



Google’s New Verified Checkmarks in Search: A Game-Changer for User Trust

Posted in News on Oct 08, 2024

As we navigate the digital age, online trust has become increasingly important. Google is now experimenting with a feature that aims to strengthen this trust: verified checkmarks in search results. These blue ticks could soon help users easily identify which businesses are legitimate and trustworthy. But what does this mean for the average internet user? Let’s dive deeper into this new feature and explore its implications.



Tips for Changing Python Django Superuser Password

Posted in Technical Solutions on Jun 07, 2024

Tips for Changing Python Django Superuser Password



Gmail Users at Risk from AI-Powered Cyberattacks

Posted in News on Oct 14, 2024

In a rapidly evolving digital landscape, Gmail users are facing a new and alarming threat: AI-powered cyberattacks. These sophisticated scams leverage advanced technology to create realistic impersonations of Google support calls, tricking unsuspecting individuals into revealing personal information. This blog delves into the details of these AI-driven scams, sharing real-life accounts of victims and expert insights on how these tactics work. Through engaging narratives and practical advice, the blog aims to raise awareness about the importance of cybersecurity in the age of AI. Readers will learn how to identify suspicious communications, the significance of enabling robust security features, and essential steps to protect their accounts from phishing attempts. As cybercriminals continue to refine their techniques, staying informed and vigilant is more crucial than ever.



Galaxy S10 Phones Bricked by Recent Update, Samsung Quickly Offers a Fix

Posted on Oct 04, 2024

The recent Samsung update has caused severe problems for many Galaxy S10 and Note 10 owners, leaving their devices bricked and forcing users to seek urgent solutions. The update, designed to improve functionality, has instead resulted in a widespread issue that has thrown affected phones into an endless boot loop. Fortunately, Samsung was quick to respond with a fix, but users are still grappling with the impact.



How LinkedIn Became a Hub for AI-Generated Content

Posted in News on Nov 29, 2024

LinkedIn has always been a platform for professionals to network, find job opportunities, and share career-related content. However, over the past few years, it has evolved into something more, a place where thought leaders, influencers, and even job seekers have turned to AI-powered tools to help generate content. This shift has been a major factor in the rise of AI-generated posts, with over half of LinkedIn’s long-form posts being created by AI as of October 2024.



Best Affordable Web Hosting Provider 2022 - Pakistan

Posted in News on Oct 14, 2022

We are pleased to announce that Hosting by AliTech has won the CorporateVision's Global Business Award "Best Affordable Web Hosting Provider 2022 - Pakistan".



Step by Step Guide for Django Installation on CyberPanel, Litespeed & uWSGI - #CyberPanel #LiteSpeed

Posted on Dec 28, 2021

Step by Step Guide for Django Installation on CyberPanel, Litespeed & uWSGI - #CyberPanel #SFARPak This tutorial explains steps by steps how to Install Django in CyberPanel. The CyberPanel works on the LiteSpeed server which has the fastest performance compared to other servers like Apache & NGINX.



AliTech WordPress Hosting: Unmatched Performance for Your WordPress Sites 2024

Posted in About Hosting by AliTech on Aug 22, 2024

Explore the benefits of AliTech WordPress Hosting, designed for extreme performance and reliability. With SSD storage, instant provisioning, and guaranteed resources, AliTech offers tailored hosting solutions to meet the needs of any WordPress site. Whether you're starting with the Bronze plan or scaling up to Titanium, discover how AliTech provides the power and flexibility to keep your site running smoothly and efficiently.



Comprehensive Guide to Choosing the Right Domain and Hosting Services for Startups

Posted in Uncategorized on Jul 01, 2024

In today’s digital landscape, choosing the right domain name and hosting services is crucial for startups aiming to establish a strong online presence. This comprehensive guide explores the importance of domain selection, optimal hosting solutions, and popular CMS platforms like WordPress, WooCommerce, Joomla, and more. Whether you're deploying NodeJS, Django, Ruby on Rails, React, or other frameworks, understanding these elements is essential for scalable growth and seamless user experiences.



ACME now uses ZeroSSL, here is what you need to do for your CyberPanel

Posted in Technical Solutions on Jul 02, 2021

ACME now uses ZeroSSL, here is what you need to do for your CyberPanel.



The Pros and Cons of Using a Free Web Hosting Service

Posted in Uncategorized on Jul 26, 2024

Choosing the right web hosting service is crucial for your online presence. Free web hosting might seem appealing, especially for startups and personal projects, but it's important to weigh its benefits and drawbacks. While cost-effective and user-friendly, free web hosting often comes with limitations in resources, performance, and security. Understanding these pros and cons can help you decide if free web hosting is the right choice for your website.



[SOLVED / FIXED] mysqlclient ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.

Posted on Jun 09, 2022

[SOLVED / FIXED] mysqlclient ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.



This is really awesome!!! We are now ranking 🚀5th 👊😍

Posted in About Hosting by AliTech, Hosting Promotions on Jun 07, 2021

This is really awesome!!! We are now ranking 5th on TheWebHostingDir.com. To celebrate this we are giving away 5 Free Shared Hosting Accounts on first come first serve basis.



CyberPanel Docker Integration - Superb - 2022

Posted in Technical Solutions on Mar 04, 2022

CyberPanel Docker Integration | SFARPak #SFARPak If you like my work please subscribe, share & comment.



The Manifest Hails AliTech Solutions as one of the Most Reviewed IT Services Companies in Pakistan

Posted on Jun 09, 2022

The Manifest Hails AliTech Solutions as one of the Most Reviewed IT Services Companies in Pakistan A robust IT infrastructure is one of the key components of a company’s success in today’s digital landscape. Thankfully, there are companies like AliTech Solutions that can help you with your IT needs. We’ve been in the industry for a while now and our team has managed to help hundreds of clients achieve their goals through our services.



Graykey and Its Limitations: Insights from Leaked Documents

Posted in News on Nov 20, 2024

Graykey, a forensic tool used to unlock smartphones, is facing challenges with newer devices. Leaked documents reveal it can only partially unlock iPhones running iOS 18, accessing limited data like unencrypted files and metadata. Its performance on Android devices, such as Google Pixel phones, is also limited by device states. This highlights the ongoing battle between tech companies enhancing security and forensic tools trying to keep up, raising questions about privacy and access in the digital age.




Other Blogs


Green Web Hosting: Eco-Friendly Solutions for a Sustainable Future

Posted in Uncategorized on Jul 22, 2024 and updated on Jul 22, 2024

Google’s New Verified Checkmarks in Search: A Game-Changer for User Trust

Posted in News on Oct 08, 2024 and updated on Oct 08, 2024

Tips for Changing Python Django Superuser Password

Posted in Technical Solutions on Jun 07, 2024 and updated on Jun 07, 2024

Gmail Users at Risk from AI-Powered Cyberattacks

Posted in News on Oct 14, 2024 and updated on Oct 14, 2024

Galaxy S10 Phones Bricked by Recent Update, Samsung Quickly Offers a Fix

Posted on Oct 04, 2024 and updated on Oct 04, 2024

How LinkedIn Became a Hub for AI-Generated Content

Posted in News on Nov 29, 2024 and updated on Nov 29, 2024

Best Affordable Web Hosting Provider 2022 - Pakistan

Posted in News on Oct 14, 2022 and updated on Nov 27, 2023

The Pros and Cons of Using a Free Web Hosting Service

Posted in Uncategorized on Jul 26, 2024 and updated on Jul 26, 2024

CyberPanel Docker Integration - Superb - 2022

Posted in Technical Solutions on Mar 04, 2022 and updated on Mar 04, 2022

Graykey and Its Limitations: Insights from Leaked Documents

Posted in News on Nov 20, 2024 and updated on Nov 20, 2024







Comments

Please sign in to comment!






Subscribe To Our Newsletter

Stay in touch with us to get latest news and discount coupons