Hackers Hijacked Chrome Extensions to Inject Malicious Code



Introduction

In recent cybersecurity news, hackers have infiltrated Chrome extensions, compromising over 600,000 users. A sophisticated attack targeted at least 16 popular extensions has raised alarms regarding the vulnerability of browser extensions, which are often trusted yet can be exploited for data theft. The attack was discovered in late December 2024 and is linked to a broader phishing campaign that gave cybercriminals access to developers' accounts on the Chrome Web Store. These breaches highlight the growing threat to users' sensitive data and privacy through seemingly harmless browser add-ons.

Understanding the Attack on Chrome Extensions

Cybercriminals employed a well-crafted phishing campaign to compromise several well-known Chrome extensions, which are small programs that enhance the functionality of the browser. The attackers targeted developers of these extensions, using phishing emails to trick them into giving up their credentials. With this access, they were able to inject malicious code into legitimate extensions, which were then made available on the Chrome Web Store.

The Scope of the Breach

The cyberattack affected over 600,000 users worldwide, with the compromised extensions stealing sensitive data such as cookies and access tokens. The attack primarily targeted business accounts, particularly those linked to social media advertising platforms and AI tools. The first known victim was Cyberhaven, a data protection firm based in California. On Christmas Eve 2024, one of their employees was tricked into clicking a malicious link that granted hackers access to their developer account.

How the Hackers Gained Access

The attack began with a phishing email that appeared to come from the Chrome Web Store Developer Support team. The email claimed that an extension was at risk of being removed due to a policy violation, urging the recipient to click a link to resolve the issue. This link redirected the developer to a fake page that prompted them to authorize a malicious OAuth application named “Privacy Policy Extension.” Once the permissions were granted, the attackers gained control and uploaded a version of the Cyberhaven extension with malicious code.

Malicious Code and Its Impact

Once published, the compromised extensions communicated with a remote server controlled by the hackers. This server was responsible for receiving and transmitting stolen data, such as cookies and user session tokens. The malicious code was designed to exfiltrate sensitive information and send it back to the cybercriminals, giving them access to Facebook business accounts, AI platforms, and other valuable targets.

The Extent of Affected Extensions

While Cyberhaven was the first to discover the breach, further investigation revealed that other popular Chrome extensions had also been compromised. These included AI-related extensions like “AI Assistant – ChatGPT and Gemini for Chrome” and “Bard AI Chat Extension,” VPN tools such as “VPNCity” and “Internxt VPN,” and productivity extensions like “VidHelper Video Downloader” and “Reader Mode.” These extensions spanned multiple categories, showing that the attack was both opportunistic and widespread.

Timeline of the Attack

The malicious code was active for approximately 25 hours, from December 24 to December 26, 2024. During this period, any Chrome installations that automatically updated their extensions were vulnerable to the attack. Cyberhaven detected the breach on Christmas Day and quickly removed the malicious extension

the permissions granted to extensions are often broad, allowing them to operate without strict oversight. This makes them a prime target for hackers who exploit these permissions to infiltrate systems and steal sensitive data.

The Role of Google in Addressing the Issue

Once Cyberhaven detected the malicious extension and removed it, Google took swift action. However, security experts emphasize that the presence of the compromised extension on user devices for 24 hours poses a significant risk. Even after the extension was removed from the Chrome Web Store, users who had already updated their browsers with the compromised extension remained vulnerable to continued data exfiltration. This highlights the challenges of securing browser extensions once they have been published and downloaded by users.

Why Was Cyberhaven Targeted?

Cyberhaven’s extension was likely targeted due to the nature of the company’s business. As a data protection company, it provides services to businesses that store and process sensitive information. This made it an appealing target for cybercriminals seeking access to corporate accounts, especially in the advertising and AI industries. The attackers were able to steal user credentials, which could then be used for malicious activities, such as unauthorized access to social media accounts or data manipulation.

The Broader Campaign: Multiple Extensions Affected

As cybersecurity experts continued their investigations, more extensions were discovered to be part of the same attack campaign. The malware was injected into a wide range of extensions across different categories. These included productivity tools, video downloaders, AI assistants, and even extensions offering cashback deals. The broad selection of affected extensions indicates that the attackers were casting a wide net, hoping to maximize the number of compromised users.

How Users Can Protect Themselves

In the wake of the breach, users are advised to take immediate steps to protect their data. This includes updating Chrome extensions to the latest versions, reviewing installed extensions to ensure they are from reputable sources, and being cautious about granting permissions to new or unfamiliar extensions. Users should also rotate passwords, particularly for accounts linked to social media or business platforms, and monitor their activity for any signs of suspicious behavior.

The Importance of Regular Updates and Vetting Extensions

This breach underscores the importance of regularly updating browser extensions and vetting their sources. While the Chrome Web Store conducts security reviews for new extensions, these measures are not foolproof. Developers must implement strong security practices, including periodic code audits, and ensure that they are using multi-factor authentication and other protective measures to safeguard their developer accounts.

Lessons for Extension Developers and Users

For extension developers, this attack serves as a wake-up call to prioritize security in their code and in the permissions they request. They must be vigilant against phishing attempts and implement safeguards to prevent unauthorized access to their accounts. For users, the attack highlights the need for greater caution when installing or updating extensions. It's crucial to scrutinize the permissions requested by extensions and avoid installing those that ask for unnecessary access to sensitive data.

Conclusion: A Wake-Up Call for Browser Security

This attack serves as a critical reminder of the vulnerabilities associated with browser extensions. While these tools enhance our browsing experience, they also present significant security risks if not properly managed. Both users and developers must adopt a more proactive approach to extension security, ensuring that they are continually updated, carefully monitored, and sourced from reputable developers. The Cyberhaven breach, and the subsequent exposure of other extensions, should serve as a catalyst for broader industry discussions on how to better secure browser extensions against evolving cyber threats.

FAQs

1. How do hackers compromise Chrome extensions?
Hackers often use phishing campaigns to gain access to developers' accounts on the Chrome Web Store. Once inside, they can inject malicious code into legitimate extensions, which is then distributed to users.

2. How can I tell if my Chrome extension has been compromised?
Check for unusual behavior in your browser, such as slow performance, unexpected pop-ups, or unauthorized actions in your online accounts. Ensure that all extensions are updated to the latest version, and uninstall any suspicious ones.

3. What should I do if my account has been compromised through a malicious extension?
Immediately update your passwords, enable multi-factor authentication, and review your account activity for any signs of suspicious behavior. It's also important to remove the compromised extension and report it to the appropriate authorities.

4. Are all Chrome extensions vulnerable to this kind of attack?
While most extensions are safe, any extension that requires extensive permissions, such as access to cookies or identity information, can be vulnerable if compromised. Always install extensions from trusted sources and carefully review the permissions they request.

5. Can Google prevent these types of attacks?
Google has taken steps to secure the Chrome Web Store by conducting security reviews for extensions. However, this attack shows that more comprehensive measures are needed, such as better monitoring for suspicious developer activity and improved extension vetting.

Source: Google News

Read more blogs: Alitech Blog

www.hostingbyalitech.com

www.patriotsengineering.com

www.engineer.org.pk

Tags : Chrome extension security, malicious code in Chrome extensions, phishing attack Chrome extensions, data theft from Chrome extensions, compromised browser extensions, Cyberhaven security breach, protecting browser extensions, Chrome Web Store phishing attack, security risks browser extensions, hackers hijack Chrome extensions, Chrome extension data exposure, securing Chrome extensions, preventing extension vulnerabilities, malicious extensions data theft, cybersecurity browser extensions

Posted in News on Dec 30, 2024



[SOLVED / FIXED] django.core.exceptions.ImproperlyConfigured: Requested setting AUTH_USER_MODEL

Posted on Mar 27, 2022

[SOLVED / FIXED] django.core.exceptions.ImproperlyConfigured: Requested setting AUTH_USER_MODEL ERROR / PROBLEM: Starting the Python Shell in the terminal inside virtual environment.



Introduction to Multi-Cloud Hosting

Posted in Uncategorized on Jul 29, 2024

Multi-cloud hosting is revolutionizing the way businesses manage their IT infrastructure by leveraging multiple cloud service providers. This strategy offers enhanced reliability, cost efficiency, flexibility, and scalability, making it a popular choice for modern enterprises. While it brings challenges like complexity in management and security concerns, the benefits often outweigh the drawbacks. As technology advances, trends such as AI integration, improved security measures, and the growth of edge computing are set to shape the future of multi-cloud hosting, making it an indispensable approach for businesses aiming for resilience and efficiency in their operations.



Google Search Impact - Congrats on reaching 900 clicks in 28 days!

Posted in News on Mar 05, 2022

Google Search Impact - Congrats 900 clicks 28 days! - Awesome



Brazil Lifts Ban on X After Elon Musk Pays $5M Fine

Posted in News on Oct 09, 2024

In a major development in Brazil’s tech and social media landscape, the country’s Supreme Court recently lifted a ban on X, the platform formerly known as Twitter. This decision came after a long standoff between the platform, owned by billionaire entrepreneur Elon Musk, and the Brazilian government over issues of disinformation and legal compliance. Musk’s company, X, paid a hefty $5 million fine and complied with court orders, which has led to the platform’s reinstatement in the country. This article delves into the reasons behind the ban, Musk’s response, and how the situation has unfolded, ultimately leading to X’s return to one of its most significant markets.



[SOLVED / FIXED ] Mixing of GROUP columns (MIN(),MAX(),COUNT(),…) with no GROUP columns is illegal if there is no GROUP BY clause. Error in Maria DB

Posted in Technical Solutions on Feb 01, 2021

[SOLVED] Mixing of GROUP columns (MIN(),MAX(),COUNT(),…) with no GROUP columns is illegal if there is no GROUP BY clause. Error in Maria DB



Alibaba Expects AI to Drive More Than Half of Its Cloud Segment Growth

Posted in Uncategorized on Aug 19, 2024

In this article, we explore how Alibaba's investment in AI is driving significant growth in its cloud segment. With a focus on GPU-based AI product development, Alibaba aims to regain its position in the competitive global cloud market. Discover the strategies and challenges the company faces as it navigates the future of cloud computing



How to Install Desktop Environment on CentOS 7 Oracle Cloud Instance

Posted in Technical Solutions on Feb 28, 2021

How to Install Desktop Environment on CentOS 7 Oracle Cloud Instance. This Orcle Cloud guide is also applicable Amazon AWS, Google Cloud and Microsoft Azure,etc



New Samsung Update Warning for Millions of Galaxy Owners: Check Your Phone Now

Posted in News on Oct 28, 2024

Samsung Galaxy owners are facing increased security risks due to delayed software updates and newly discovered vulnerabilities. October's security patch addressed some critical threats, particularly for devices using Exynos processors, but a new vulnerability in Qualcomm chipsets has emerged. Galaxy users should urgently update their devices to protect personal data from unauthorized access. In this blog, learn about Samsung's latest security concerns, including Amnesty International's warnings on targeted attacks and CISA's latest updates. Staying proactive with software updates is essential to keep your device secure in today’s digital landscape.



The Ultimate Guide to Different Types of Web Hosting

Posted in Uncategorized on Jun 24, 2024

Choosing the right web hosting service can be overwhelming, but understanding the differences between shared hosting, VPS hosting, Wordpress hosting, reseller hosting, and cloud hosting can help. Learn about the pros and cons of each option and make an informed decision for your website's needs.



Ransomware attack forces web hosting provider Managed.com

Posted in News on Jan 25, 2021

Ransomware attack forces web hosting provider Managed.com to take servers offline.



Japan Airlines Delays Flights After Cyberattack

Posted in News on Dec 26, 2024

On December 26, 2024, Japan Airlines fell victim to a cyberattack that caused significant disruptions to its operations. The attack, which targeted network equipment, led to delays in domestic and international flights, affecting thousands of passengers. Despite the challenges, JAL swiftly acted to identify and contain the attack, preventing major cancellations. The incident highlights the growing threat of cyberattacks on critical infrastructure and the importance of robust cybersecurity measures to prevent future disruptions.



The Pros and Cons of Using a Free Web Hosting Service

Posted in Uncategorized on Jul 26, 2024

Choosing the right web hosting service is crucial for your online presence. Free web hosting might seem appealing, especially for startups and personal projects, but it's important to weigh its benefits and drawbacks. While cost-effective and user-friendly, free web hosting often comes with limitations in resources, performance, and security. Understanding these pros and cons can help you decide if free web hosting is the right choice for your website.



ACME now uses ZeroSSL, here is what you need to do for your CyberPanel

Posted in Technical Solutions on Jul 02, 2021

ACME now uses ZeroSSL, here is what you need to do for your CyberPanel.



Texas to Get 1 GW AI-Powered Virtual Power Plant, Enough to Power 200,000 Homes

Posted in News on Nov 14, 2024

Texas is pioneering energy innovation with the launch of a 1-gigawatt virtual power plant (VPP) capable of supporting up to 200,000 homes during peak demand. A collaboration between NRG Energy, Renew Home, and Google Cloud, this AI-powered VPP will help Texas address its rising energy needs and boost grid stability. By aggregating energy from distributed sources like smart thermostats, electric vehicles, and home battery storage, the VPP adjusts electricity flow in real-time, optimizing energy use and reducing costs. With free smart thermostats offered to residents, Texas’ VPP empowers households to cut bills while supporting a resilient, eco-friendly energy system.



Comprehensive Guide to Web Hosting and Business Website Creation

Posted in Uncategorized on Jun 25, 2024

Creating a robust online presence is crucial for any business. This guide explores web hosting options, domain registration, and website creation tools. We cover reseller hosting plans, VPS hosting, Magento hosting, and the best hosting providers for small businesses. We also discuss how to create a business website for free and the best platforms for blog hosting



Hosting by AliTech User & Reseller Portal - 2021

Posted in About Hosting by AliTech, News on Oct 17, 2021

Hosting by AliTech User & Reseller Portal coming soon stay tuned. https://bit.ly/3tm3kZ3 https://www.hostingbyalitech.com #hostingbyalitech #alitechsolutions #userportal #resellerportal #coming #soon



Amazon Brings Generative AI-Powered Recaps to Prime Video

Posted in News on Nov 05, 2024

Amazon Prime Video has launched X-Ray Recaps, an AI-driven feature that gives viewers quick, spoiler-free summaries of TV episodes or entire seasons. Initially available for U.S. Fire TV users, the feature helps viewers catch up on plot points without revealing future events. Powered by Amazon's AI technology, including Amazon Bedrock and SageMaker, X-Ray Recaps expands on Prime Video’s X-Ray feature, which provides cast info and trivia, by offering precise, real-time plot recaps at any point during viewing.



[SOLVED / FIXED ] ModuleNotFoundError: No module named 'setuptools_rust'

Posted in Technical Solutions on Apr 09, 2022

[SOLVED / FIXED ] ModuleNotFoundError: No module named 'setuptools_rust' Error: While installing docker-compose the following error can come up: ModuleNotFoundError: No module named 'setuptools_rust'




Other Blogs


Introduction to Multi-Cloud Hosting

Posted in Uncategorized on Jul 29, 2024 and updated on Jul 29, 2024

Google Search Impact - Congrats on reaching 900 clicks in 28 days!

Posted in News on Mar 05, 2022 and updated on Mar 18, 2022

Brazil Lifts Ban on X After Elon Musk Pays $5M Fine

Posted in News on Oct 09, 2024 and updated on Oct 09, 2024

Alibaba Expects AI to Drive More Than Half of Its Cloud Segment Growth

Posted in Uncategorized on Aug 19, 2024 and updated on Aug 19, 2024

New Samsung Update Warning for Millions of Galaxy Owners: Check Your Phone Now

Posted in News on Oct 28, 2024 and updated on Oct 28, 2024

The Ultimate Guide to Different Types of Web Hosting

Posted in Uncategorized on Jun 24, 2024 and updated on Jun 24, 2024

Ransomware attack forces web hosting provider Managed.com

Posted in News on Jan 25, 2021 and updated on Mar 30, 2022

Japan Airlines Delays Flights After Cyberattack

Posted in News on Dec 26, 2024 and updated on Dec 26, 2024

The Pros and Cons of Using a Free Web Hosting Service

Posted in Uncategorized on Jul 26, 2024 and updated on Jul 26, 2024

Texas to Get 1 GW AI-Powered Virtual Power Plant, Enough to Power 200,000 Homes

Posted in News on Nov 14, 2024 and updated on Nov 14, 2024

Comprehensive Guide to Web Hosting and Business Website Creation

Posted in Uncategorized on Jun 25, 2024 and updated on Jun 25, 2024

Hosting by AliTech User & Reseller Portal - 2021

Posted in About Hosting by AliTech, News on Oct 17, 2021 and updated on Mar 14, 2022

Amazon Brings Generative AI-Powered Recaps to Prime Video

Posted in News on Nov 05, 2024 and updated on Nov 05, 2024







Comments

Please sign in to comment!






Subscribe To Our Newsletter

Stay in touch with us to get latest news and discount coupons