A new and sophisticated attack campaign has compromised at least 16 popular Chrome browser extensions, placing over 600,000 users at risk of data exposure and credential theft.
This campaign exploited trusted extensions by targeting their publishers via phishing attacks, inserting malicious code into otherwise legitimate software, and stealing sensitive information such as cookies and user access tokens.
The Scope of the Attack
The first public disclosure of this incident came from Cyberhaven, a cybersecurity firm whose browser extension was among the affected.
On December 27, Cyberhaven revealed that a threat actor had compromised its extension by injecting malicious code that connected to an external Command and Control (C&C) server hosted on the domain cyberhavenext[.]pro.
The compromised extension was programmed to download additional configuration files and exfiltrate user data, potentially exposing sensitive credentials.
Cyberhaven acted quickly to remove the malicious version of the extension within 24 hours. Unfortunately, other impacted extensions are still being identified, and many remain vulnerable until they are updated or removed from users’ devices.
Additional browser extensions currently suspected of having been compromised include:
- AI Assistant – ChatGPT and Gemini for Chrome
- Bard AI Chat Extension
- GPT 4 Summary with OpenAI
- Search Copilot AI Assistant for Chrome
- TinaMInd AI Assistant
- Wayin AI
- VPNCity
- Internxt VPN
- Vindoz Flex Video Recorder
- VidHelper Video Downloader
- Bookmark Favicon Changer
- Castorus
- Uvoice
- Reader Mode
- Parrot Talks
- Primus
Also read: New Scam Targets Web3 Workers with Fake Video Conferencing App
The Risks of Browser Extensions
Browser extensions are integral to modern browsing, enhancing functionality and productivity. However, they also represent a significant security risk.
They often require extensive permissions to access sensitive data, including cookies and access tokens, essential for maintaining user sessions and identity information, such as email addresses and stored credentials.
When these permissions are exploited by threat actors, the potential for damage is enormous.
Though Cyberhaven successfully removed the malicious extension from the Chrome Web Store, the danger isn’t over.
This implies users who downloaded the malicious extension before its removal are still at risk unless they update or uninstall it.
Key Takeaways for Users
- Regularly check for updates or uninstall unused browser extensions.
- Be wary of granting extensions unnecessary permissions.
- Use robust security tools to monitor browser activity and detect anomalies.
Source: The Hacker News
About Author
