Widespread cyberattack targets Google Chrome extensions, compromises 2.6 million devices
What just happened? Cybersecurity researchers have discovered a widespread attack targeting browser extensions on the Chrome Web Store during the holiday season. The campaign affected at least 33 extensions and potentially compromised data from approximately 2.6 million devices. The breach came to light when Cyberhaven, a data loss prevention service, discovered malicious code embedded in one of its own extensions.
The attack, which began on Christmas Eve, used vulnerability in the Chrome Web Store developer authentication system. Attackers used sophisticated spear-phishing techniques to gain access to extension developer accounts, allowing them to download malicious versions of popular extensions.
The Cyberhaven extension, designed to prevent users from accidentally entering sensitive data into email or websites, was one of the first to be compromised. “Our team has confirmed a malicious cyberattack occurred on Christmas Eve that affected Cyberhaven’s Chrome extension,” the company said in a statement. stated. “Public reports suggest that this attack was part of a broader campaign targeting Chrome extension developers from a wide range of companies.”
The compromised version of the Cyberhaven extension, version 24.10.4, was available for 31 hours, from December 25 to 26. During this period, Chrome browsers with Cyberhaven installed automatically downloaded and executed malicious code. Analysis of the extension revealed that it was designed to interact with various payloads downloaded from a malicious site imitating the official Cyberhaven domain.
Cyberhaven hack reported. An employee phished and distributed a malicious Chrome extension.
Command and control:
149.28.124.84
Cyberhavenext[.]aboutFile hashes:
content.js AC5CC8BCC05AC27A8F189134C2E3300863B317FBworker.js 0B871BDEE9D8302A48D6D6511228CAF67A08EC60
– Christopher Stanley (@cstanley) December 26, 2024
As researchers delved deeper into the nature of the attack, they discovered that it extended far beyond Cyberhaven. John Tuckner, founder of Secure Attachment, a company that analyzes and manages browser extensions, said at least 19 other Chrome extensions were compromised in a similar manner. The attackers used the same spear-phishing campaign and used their own lookalike domains to provide payloads and collect authentication credentials.
The collective impact of these compromised extensions is staggering: the 20+ affected extensions were downloaded approximately 1.46 million times. This attack is also not an isolated incident. In 2019, a similar campaign targeted Chrome and Firefox extensions, compromising four million devices, including on the networks of major companies such as Tesla, Blue Origin and Symantec.
Here is a selection of known extensions that have been compromised (thanks Ars Technique), with further updates available here. If you have used any of these, you should update your passwords and other login credentials:
| Name | IDENTIFIER | Version | Patch | Accessible | Users | Start off | End |
|---|---|---|---|---|---|---|---|
| VPNCity | nnpnnpemnckcfdebeekibpiijlicmpom | 2.0.1 | LIE | 10,000 | 12.12.24 | 12/31/24 | |
| Conversations with parrots | kkodiihpgodmdankclfibbiphjkfdenh | 1.16.2 | true | 40,000 | 12/25/24 | 12/31/24 | |
| Voice | oaikpkmjciadfpddlpjjdapglcihgdle | 1.0.12 | true | 40,000 | 12/26/24 | 12/31/24 | |
| Internal VPN | dpggmcodlahmljkhlmpgpdcffdaoccni | 1.1.1 | 1.2.0 | true | 10,000 | 12/25/24 | 12/29/24 |
| Favicon Changer Bookmark | akmfnomgphgonodopogfbmknipfgnkh | 4.00 | true | 40,000 | 12/25/24 | 12/31/24 | |
| Castor | mnhffkhmpnefgklngfmlndmkiimimbphc | 4.40 | 4.41 | true | 50,000 | 12/26/24 | 12/27/24 |
| Reading mode | llimhhconnjiflfimocjggfjdlmlhblm | 1.5.7 | LIE | 300,000 | 12/18/24 | 12/19/24 | |
| Tackker – Online Keylogger Tool | ekpkdmohpdnebfedjjfklhpefgpgaaji | 1.3 | 1.4 | true | 10,000 | 06.10.23 | 08/13/24 |
| AI shop buddy | Epikoohpebngmakjinpfiagogjknddm | 2.7.3 | true | 4000 | 04/30/24 | ||
| Sort by oldest | miglaibdlgminlepgeyfekifakohlka | 1.4.5 | true | 2000 | 11.01.24 | ||
| Automator for searching awards | eanofdhdfbcalhflpbdipkjjkoimeeod | 1.4.9 | true | 100,000 | 04.05.24 | ||
| Earn – cashback up to 20% | ogbhbgkiojdollpjbhbamafmedkeockb | 1.8.1 | true | 100,000 | 04/05/23 | ||
| ChatGPT Assistant – smart search | bgejafhieobnfpjlpcjjggoboebonfcg | 1.1.1 | true | 189 | 12.02.24 | ||
| Keyboard history recorder | igbodamhgjohafcenbcljfegbipdfjpk | 2.3 | true | 5000 | 07/29/24 | ||
| Email Hunter | mbindhfolmpijhodmgkloeeppmkhpmhc | 1.44 | true | 100,000 | 09/17/24 | ||
| Visuals for Google Meet | Wentfdpcbemnbbcpclbmknkiaem | 3.1.3 | 3.2.4 | true | 900,000 | 06/13/23 | 10.01.24 |
| ChatGPT application | lbneaaedflankmgmfbmaplggbmjjmbae | 1.3.8 | true | 7000 | 03.09.24 | ||
| Web mirror | eaijffijbobmnonfhilihbejadplhddo | 2.4 | true | 4000 | 13.10.23 | ||
| Hello AI | hmiaoahjllhfgebflooeeeiafpkfde | 1.0.0 | true | 229 | 07/29/24 |
Further investigation revealed an even more alarming trend. One of the compromised extensions, Reader Mode, was part of a separate campaign dating back to at least April 2023. This earlier compromise involved a library of monetization codes that collected detailed data about every visit to a web page made by a browser. Tuckner identified 13 Chrome extensions with a total of 1.14 million installations that used this library to collect potentially sensitive data.
The incident has sparked debate about how best to protect browser extensions. Tuckner suggests one potential solution: Organizations could implement a browser resource control list that allows only selected extensions to run and blocks all others.
2025-01-05 18:39:00