Hackers Hijacked Chrome Extensions to Inject Malicious Code



Introduction

In recent cybersecurity news, hackers have infiltrated Chrome extensions, compromising over 600,000 users. A sophisticated attack targeted at least 16 popular extensions has raised alarms regarding the vulnerability of browser extensions, which are often trusted yet can be exploited for data theft. The attack was discovered in late December 2024 and is linked to a broader phishing campaign that gave cybercriminals access to developers' accounts on the Chrome Web Store. These breaches highlight the growing threat to users' sensitive data and privacy through seemingly harmless browser add-ons.

Understanding the Attack on Chrome Extensions

Cybercriminals employed a well-crafted phishing campaign to compromise several well-known Chrome extensions, which are small programs that enhance the functionality of the browser. The attackers targeted developers of these extensions, using phishing emails to trick them into giving up their credentials. With this access, they were able to inject malicious code into legitimate extensions, which were then made available on the Chrome Web Store.

The Scope of the Breach

The cyberattack affected over 600,000 users worldwide, with the compromised extensions stealing sensitive data such as cookies and access tokens. The attack primarily targeted business accounts, particularly those linked to social media advertising platforms and AI tools. The first known victim was Cyberhaven, a data protection firm based in California. On Christmas Eve 2024, one of their employees was tricked into clicking a malicious link that granted hackers access to their developer account.

How the Hackers Gained Access

The attack began with a phishing email that appeared to come from the Chrome Web Store Developer Support team. The email claimed that an extension was at risk of being removed due to a policy violation, urging the recipient to click a link to resolve the issue. This link redirected the developer to a fake page that prompted them to authorize a malicious OAuth application named “Privacy Policy Extension.” Once the permissions were granted, the attackers gained control and uploaded a version of the Cyberhaven extension with malicious code.

Malicious Code and Its Impact

Once published, the compromised extensions communicated with a remote server controlled by the hackers. This server was responsible for receiving and transmitting stolen data, such as cookies and user session tokens. The malicious code was designed to exfiltrate sensitive information and send it back to the cybercriminals, giving them access to Facebook business accounts, AI platforms, and other valuable targets.

The Extent of Affected Extensions

While Cyberhaven was the first to discover the breach, further investigation revealed that other popular Chrome extensions had also been compromised. These included AI-related extensions like “AI Assistant – ChatGPT and Gemini for Chrome” and “Bard AI Chat Extension,” VPN tools such as “VPNCity” and “Internxt VPN,” and productivity extensions like “VidHelper Video Downloader” and “Reader Mode.” These extensions spanned multiple categories, showing that the attack was both opportunistic and widespread.

Timeline of the Attack

The malicious code was active for approximately 25 hours, from December 24 to December 26, 2024. During this period, any Chrome installations that automatically updated their extensions were vulnerable to the attack. Cyberhaven detected the breach on Christmas Day and quickly removed the malicious extension

the permissions granted to extensions are often broad, allowing them to operate without strict oversight. This makes them a prime target for hackers who exploit these permissions to infiltrate systems and steal sensitive data.

The Role of Google in Addressing the Issue

Once Cyberhaven detected the malicious extension and removed it, Google took swift action. However, security experts emphasize that the presence of the compromised extension on user devices for 24 hours poses a significant risk. Even after the extension was removed from the Chrome Web Store, users who had already updated their browsers with the compromised extension remained vulnerable to continued data exfiltration. This highlights the challenges of securing browser extensions once they have been published and downloaded by users.

Why Was Cyberhaven Targeted?

Cyberhaven’s extension was likely targeted due to the nature of the company’s business. As a data protection company, it provides services to businesses that store and process sensitive information. This made it an appealing target for cybercriminals seeking access to corporate accounts, especially in the advertising and AI industries. The attackers were able to steal user credentials, which could then be used for malicious activities, such as unauthorized access to social media accounts or data manipulation.

The Broader Campaign: Multiple Extensions Affected

As cybersecurity experts continued their investigations, more extensions were discovered to be part of the same attack campaign. The malware was injected into a wide range of extensions across different categories. These included productivity tools, video downloaders, AI assistants, and even extensions offering cashback deals. The broad selection of affected extensions indicates that the attackers were casting a wide net, hoping to maximize the number of compromised users.

How Users Can Protect Themselves

In the wake of the breach, users are advised to take immediate steps to protect their data. This includes updating Chrome extensions to the latest versions, reviewing installed extensions to ensure they are from reputable sources, and being cautious about granting permissions to new or unfamiliar extensions. Users should also rotate passwords, particularly for accounts linked to social media or business platforms, and monitor their activity for any signs of suspicious behavior.

The Importance of Regular Updates and Vetting Extensions

This breach underscores the importance of regularly updating browser extensions and vetting their sources. While the Chrome Web Store conducts security reviews for new extensions, these measures are not foolproof. Developers must implement strong security practices, including periodic code audits, and ensure that they are using multi-factor authentication and other protective measures to safeguard their developer accounts.

Lessons for Extension Developers and Users

For extension developers, this attack serves as a wake-up call to prioritize security in their code and in the permissions they request. They must be vigilant against phishing attempts and implement safeguards to prevent unauthorized access to their accounts. For users, the attack highlights the need for greater caution when installing or updating extensions. It's crucial to scrutinize the permissions requested by extensions and avoid installing those that ask for unnecessary access to sensitive data.

Conclusion: A Wake-Up Call for Browser Security

This attack serves as a critical reminder of the vulnerabilities associated with browser extensions. While these tools enhance our browsing experience, they also present significant security risks if not properly managed. Both users and developers must adopt a more proactive approach to extension security, ensuring that they are continually updated, carefully monitored, and sourced from reputable developers. The Cyberhaven breach, and the subsequent exposure of other extensions, should serve as a catalyst for broader industry discussions on how to better secure browser extensions against evolving cyber threats.

FAQs

1. How do hackers compromise Chrome extensions?
Hackers often use phishing campaigns to gain access to developers' accounts on the Chrome Web Store. Once inside, they can inject malicious code into legitimate extensions, which is then distributed to users.

2. How can I tell if my Chrome extension has been compromised?
Check for unusual behavior in your browser, such as slow performance, unexpected pop-ups, or unauthorized actions in your online accounts. Ensure that all extensions are updated to the latest version, and uninstall any suspicious ones.

3. What should I do if my account has been compromised through a malicious extension?
Immediately update your passwords, enable multi-factor authentication, and review your account activity for any signs of suspicious behavior. It's also important to remove the compromised extension and report it to the appropriate authorities.

4. Are all Chrome extensions vulnerable to this kind of attack?
While most extensions are safe, any extension that requires extensive permissions, such as access to cookies or identity information, can be vulnerable if compromised. Always install extensions from trusted sources and carefully review the permissions they request.

5. Can Google prevent these types of attacks?
Google has taken steps to secure the Chrome Web Store by conducting security reviews for extensions. However, this attack shows that more comprehensive measures are needed, such as better monitoring for suspicious developer activity and improved extension vetting.

Source: Google News

Read more blogs: Alitech Blog

www.hostingbyalitech.com

www.patriotsengineering.com

www.engineer.org.pk

Tags : Chrome extension security, malicious code in Chrome extensions, phishing attack Chrome extensions, data theft from Chrome extensions, compromised browser extensions, Cyberhaven security breach, protecting browser extensions, Chrome Web Store phishing attack, security risks browser extensions, hackers hijack Chrome extensions, Chrome extension data exposure, securing Chrome extensions, preventing extension vulnerabilities, malicious extensions data theft, cybersecurity browser extensions

Posted in News on Dec 30, 2024



Hackers Hijacked Chrome Extensions to Inject Malicious Code

Posted in News on Dec 30, 2024

Hackers have hijacked at least 16 popular Chrome extensions, exposing over 600,000 users to potential data theft. The attack targeted known extensions through a phishing campaign, allowing attackers to inject malicious code that stole sensitive information such as cookies and session tokens. Cybersecurity experts have identified a wide range of affected extensions, including those related to AI tools, VPNs, and productivity. This breach highlights the vulnerability of browser extensions and the need for better security practices.



Coursera is offering 9 free courses with Certificate on their 9th Birthday

Posted on Apr 15, 2021

Coursera is offering 9 free courses with Certificate on their 9th Birthday Earn a free certificate in one of 9 specially selected courses! This special offer* is available through April 30.



Apple's New AirPods are Also Hearing Aids

Posted in News on Sep 10, 2024

Apple's latest AirPods Pro 2 aren’t just wireless headphones—they now double as clinical-grade hearing aids. This innovation could revolutionize how people with mild to moderate hearing loss access care. With a built-in hearing test and machine learning technology, these AirPods can adjust sound frequencies in real-time, making conversations clearer and enhancing the overall listening experience. At $249, they’re also a much more affordable option compared to traditional hearing aids, making hearing assistance accessible to a broader audience. However, they do have limitations, including shorter battery life and unsuitability for severe hearing loss.



WordPress Hosting & Management

Posted on Nov 04, 2024

Choosing the right WordPress hosting service is one of the most critical decisions you’ll make when building a website. The hosting provider you select can impact your site’s speed, security, and reliability. With so many options available, understanding the different types of WordPress hosting can help you make an informed choice. This guide will delve into the various aspects of WordPress hosting and management, providing insights that can empower you to create a successful online presence.



The Role of Artificial Intelligence in Hollywood: Ben Affleck’s Perspective

Posted in News on Nov 26, 2024

Ben Affleck, the renowned actor and director, shared his perspective on artificial intelligence's role in Hollywood, emphasizing that AI can streamline laborious tasks but cannot replace human creativity. Speaking at CNBC’s Delivering Alpha 2024 summit, Affleck highlighted AI's limitations in originality and its inability to replicate the emotional depth achieved through human interaction. While optimistic about AI reducing filmmaking costs and democratizing the industry, he stressed its role as a tool, not a creator. Affleck’s nuanced insights provide a balanced view of AI as a complement to human creativity rather than a replacement.



How to Install Desktop Environment on CentOS 7 Oracle Cloud Instance

Posted in Technical Solutions on Feb 28, 2021

How to Install Desktop Environment on CentOS 7 Oracle Cloud Instance. This Orcle Cloud guide is also applicable Amazon AWS, Google Cloud and Microsoft Azure,etc



General Motors (GM) Lays Off Over 1,000 Salaried Software, Services Employees

Posted in News on Aug 20, 2024

General Motors (GM) has announced the layoff of over 1,000 salaried employees from its software and services divisions, signaling a major shift in its strategic focus. The cuts, affecting both domestic and international positions, come as GM aims to streamline operations and prioritize high-impact projects such as enhancing its Super Cruise driver assistance system and exploring artificial intelligence. This move follows a review after the departure of former executive Mike Abbott and reflects GM's broader push towards innovation in the rapidly evolving automotive sector.



Breaking! NFTs Coming to Instagram-META-Facebook Mark Zuckerberg - 2022

Posted in News on Mar 24, 2022

NFTs Coming to Instagram Soon, Says META - Facebook CEO Mark Zuckerberg According to news reports, Zuckerberg said, “We’re working...



Cloud Platform - Add Swap File on CentOS 7

Posted in Technical Solutions on Feb 28, 2021

Cloud Platform - Add Swap File on CentOS 7, I will start with adding 4GB of swapfile, to check 4GB equivalent to KB I will use below site.



Chrome's 'Listen to this page' Now Lets You Hear Articles While Doing Other Tasks

Posted in News on Oct 21, 2024

Google Chrome has introduced an updated version of its "Listen to this page" feature, now allowing users to listen to web articles while multitasking. The new background playback feature ensures that audio continues even when switching apps or locking the phone, making it more convenient for busy users. This update, part of Chrome 130 for Android, includes enhanced controls, customizable voice options, and seamless integration with notifications for easy access. Perfect for professionals and users who prefer listening over reading, this feature boosts both accessibility and productivity.



Japan Airlines Delays Flights After Cyberattack

Posted in News on Dec 26, 2024

On December 26, 2024, Japan Airlines fell victim to a cyberattack that caused significant disruptions to its operations. The attack, which targeted network equipment, led to delays in domestic and international flights, affecting thousands of passengers. Despite the challenges, JAL swiftly acted to identify and contain the attack, preventing major cancellations. The incident highlights the growing threat of cyberattacks on critical infrastructure and the importance of robust cybersecurity measures to prevent future disruptions.



[SOLVED / FIXED] django.core.exceptions.ImproperlyConfigured: Requested setting AUTH_USER_MODEL

Posted on Mar 27, 2022

[SOLVED / FIXED] django.core.exceptions.ImproperlyConfigured: Requested setting AUTH_USER_MODEL ERROR / PROBLEM: Starting the Python Shell in the terminal inside virtual environment.



Google Search Impact - Congrats on reaching 900 clicks in 28 days!

Posted in News on Mar 05, 2022

Google Search Impact - Congrats 900 clicks 28 days! - Awesome



Green Web Hosting: Eco-Friendly Solutions for a Sustainable Future

Posted in Uncategorized on Jul 22, 2024

Discover the benefits of green web hosting and how it can contribute to a more sustainable future. Green web hosting focuses on using energy-efficient technologies, renewable energy sources, and sustainable practices to minimize environmental impact. Learn why choosing an eco-friendly web host not only supports corporate social responsibility but also helps in reducing your carbon footprint. Explore how to select the right green web hosting provider and make a positive difference with your online presence.



Alibaba Cloud Completes 500 Petabyte Data Migration for Xiaohongshu

Posted in News on Nov 12, 2024

Explore the story behind China’s largest data migration as Alibaba Cloud completes a record-breaking 500-petabyte data migration for Xiaohongshu, China’s popular social media and lifestyle platform. Learn why this migration was necessary, how Alibaba Cloud handled complex challenges, and the lasting impact on both companies and China’s cloud industry. This in-depth article covers the technical, strategic, and future-focused aspects of this monumental project.



Ransomware attack forces web hosting provider Managed.com

Posted in News on Jan 25, 2021

Ransomware attack forces web hosting provider Managed.com to take servers offline.



Google’s $2.7 Billion Move to Rehire AI Genius: Noam Shazeer's Return to the Search Giant

Posted in News on Sep 26, 2024

In the rapidly evolving landscape of Artificial Intelligence, Noam Shazeer's return to Google in a staggering $2.7 billion deal marks a significant turning point. Once a key player at Google, Shazeer left in frustration over the company's cautious approach to AI innovation. He co-founded Character.AI, which achieved remarkable success in creating conversational agents. However, as competition in AI intensified, Google recognized the value of Shazeer's expertise and technology, leading to a strategic acquisition aimed at revitalizing its AI capabilities. His role in developing Gemini, Google’s next-gen AI model, could redefine the company's position in the fiercely competitive AI market.



Meta Connect 2024: A Deep Dive into Meta's New AI Features and Llama 3.2

Posted in News on Sep 27, 2024

Meta Connect 2024 unveiled a suite of groundbreaking AI features that are set to reshape user experiences across Meta's apps. At the heart of these innovations is Llama 3.2, Meta’s latest large language model with multimodal capabilities, allowing it to process both text and images. This model powers everything from intuitive image editing to real-time voice interactions and seamless translation. Additionally, Meta's AI Studio lets users create lifelike chatbots, while the introduction of AI-powered voice assistants and real-time dubbing highlights Meta's commitment to pushing the boundaries of artificial intelligence




Other Blogs


Hackers Hijacked Chrome Extensions to Inject Malicious Code

Posted in News on Dec 30, 2024 and updated on Dec 30, 2024

Coursera is offering 9 free courses with Certificate on their 9th Birthday

Posted on Apr 15, 2021 and updated on Apr 15, 2021

Apple's New AirPods are Also Hearing Aids

Posted in News on Sep 10, 2024 and updated on Sep 10, 2024

WordPress Hosting & Management

Posted on Nov 04, 2024 and updated on Nov 04, 2024

The Role of Artificial Intelligence in Hollywood: Ben Affleck’s Perspective

Posted in News on Nov 26, 2024 and updated on Nov 26, 2024

General Motors (GM) Lays Off Over 1,000 Salaried Software, Services Employees

Posted in News on Aug 20, 2024 and updated on Aug 20, 2024

Breaking! NFTs Coming to Instagram-META-Facebook Mark Zuckerberg - 2022

Posted in News on Mar 24, 2022 and updated on Mar 24, 2022

Cloud Platform - Add Swap File on CentOS 7

Posted in Technical Solutions on Feb 28, 2021 and updated on Aug 26, 2022

Chrome's 'Listen to this page' Now Lets You Hear Articles While Doing Other Tasks

Posted in News on Oct 21, 2024 and updated on Oct 21, 2024

Japan Airlines Delays Flights After Cyberattack

Posted in News on Dec 26, 2024 and updated on Dec 26, 2024

Google Search Impact - Congrats on reaching 900 clicks in 28 days!

Posted in News on Mar 05, 2022 and updated on Mar 18, 2022

Green Web Hosting: Eco-Friendly Solutions for a Sustainable Future

Posted in Uncategorized on Jul 22, 2024 and updated on Jul 22, 2024

Alibaba Cloud Completes 500 Petabyte Data Migration for Xiaohongshu

Posted in News on Nov 12, 2024 and updated on Nov 12, 2024

Ransomware attack forces web hosting provider Managed.com

Posted in News on Jan 25, 2021 and updated on Mar 30, 2022

Meta Connect 2024: A Deep Dive into Meta's New AI Features and Llama 3.2

Posted in News on Sep 27, 2024 and updated on Sep 27, 2024

WordPress Hosting & Management

Posted on Nov 04, 2024

WordPress Hosting & Management

Posted on Nov 04, 2024







Comments

Please sign in to comment!






Subscribe To Our Newsletter

Stay in touch with us to get latest news and discount coupons