Critical Advisory: Google Chrome Extensions Hacked

What Happened?

Cybersecurity firm Cyberhaven was the first known victim to report this Chrome extension compromise. On December 27, Cyberhaven revealed that attackers injected malicious code into their browser extension, connecting to a Command and Control (C&C) server. The breach occurred after a phishing attack on a Cyberhaven employee, granting access to their Chrome Web Store account. The hacker uploaded a malicious version of the extension, which was removed within 60 minutes.

The attack targeted Chrome browsers with auto-updates, potentially exfiltrating cookies and authenticated session tokens. Cyberhaven advised customers to update to version 24.10.5 or newer, revoke passwords lacking FIDOv2, and review activity logs.
Cyberhaven suspects this attack is part of a larger campaign targeting Chrome extension developers, specifically aiming at social media advertising and AI platform logins.

Why This Matters

It wasn’t just Cyberhaven that was targeted by hackers.  In this Reuters article, they site a wide variety of Chrome Extension providers having been targeted and compromised to release hackers versions of Chrome Extensions over the holidays when cybersecurity teams are on vacation and the maximum damage can be done.  CyberNews reported 25 extensions impacting 2 million people were potentially impacted by this string of targeted attacks.

Chrome extensions are often granted extensive permissions to access sensitive data, such as:

  • Browsing activity.
  • Login credentials.
  • Personal information stored in browsers.

A compromised extension can leverage these permissions to cause significant harm, such as stealing financial details, spreading malware, or compromising corporate networks.

Key Takeaway: A single compromised extension can turn your browser into a gateway for attackers.

Extensions That May Be Compromised:

Here’s an initial list or reported extensions alleged to have been compromised.  If you operate one of these, either upgrade to a known good version or disable and uninstall until a known good version has been released.

  • AI Assistant – ChatGPT and Gemini for Chrome
  • Bard AI Chat Extension
  • GPT 4 Summary with OpenAI
  • Search Copilot AI Assistant for Chrome
  • TinaMind AI Assistant
  • Wayin AI
  • VPNCity
  • Internxt VPN
  • Vindoz Flex Video Recorder
  • VidHelper Video Downloader
  • Bookmark Favicon Changer
  • Castorus
  • Uvoice
  • Reader Mode
  • Parrot Talks
  • Primus

How to Protect Yourself

  1. Audit Your Extensions Regularly
    • Remove extensions you no longer use.
    • Research the credibility of extensions before installing them.
  2. Be Alert to Updates
    • Malicious actors often compromise extensions during updates. Monitor update logs for suspicious changes or newly added permissions.
  3. Restrict Permissions
    • Only grant extensions the permissions they need to function. Avoid extensions that ask for excessive access.
  4. Monitor Browser Activity
    • Be wary of unexpected redirects, pop-ups, or unauthorized changes to your browser settings.
  5. Use Reliable Tools
    • Consider using security software or browser tools that detect malicious behavior.
Share post
You must be logged in to post a comment
Top