Hackers Strike Chrome Extensions – Your Personal Info Exposed

Recent cybersecurity breaches highlight the risks inherent in seemingly benign Chrome extensions, threatening the personal data of millions.

At a Glance

• Over 36 Google Chrome extensions were compromised, affecting 2.6 million users.
• Phishing campaigns targeted extension publishers, inserting malicious code.
• The attack involved communication with external servers, exfiltrating user data.
• Some extensions were updated or removed but threats persist if not actioned on user devices.

Major Security Breach Detected

Cybersecurity analysts discovered widespread attacks affecting Google Chrome extensions. 36 extensions were compromised, impacting at least 2.6 million users. Attackers utilized sophisticated phishing techniques on developers, leading to the injection of malicious code that siphoned user data.

This breach highlights the inherent vulnerabilities in browser extensions, often trusted blindly by users. Researchers found that the compromised extensions communicated with external command-and-control servers, executing additional downloads and data exfiltration.

"Dozens of Chrome Extensions Hacked, Exposing Millions of Users to Data Theft"

A new attack campaign has targeted known Chrome browser extensions, leading to at least 35 extensions being compromised and exposing over 2.6 million users to data exposure a… https://t.co/FWwYi9B50c

— rebus (@therebus) January 3, 2025

The Anatomy of the Cyberattack

Cyberhaven reported this issue, spurred by an internal phishing attack on December 24 that led to a malicious variant of their extension being uploaded. Extensions were approved after passing Chrome’s security review process unnoticed.

“The attacker gained requisite permissions via the malicious application (‘Privacy Policy Extension’) and uploaded a malicious Chrome extension to the Chrome Web Store. After the customary Chrome Web Store Security review process, the malicious extension was approved for publication.” – Cyberhaven

Such vulnerabilities enable data exposure risks, often through extensive permissions granted to these extensions. Some extensions may have gathered data as part of SDK monetization strategies, not just due to a cyber compromise.

The Larger Picture: Implications and Responses

This event identifies critical security lapses within the Chrome Web Store’s review process. Developers, often easy targets due to publicly available contact for reporting, need reinforced security safeguards.

“Browser extensions are the soft underbelly of web security. Although we tend to think of browser extensions as harmless, in practice, they are frequently granted extensive permissions to sensitive user information such as cookies, access tokens, identity information, and more. Many organizations don’t even know what extensions they have installed on their endpoints, and aren’t aware of the extent of their exposure.”

Reportedly ongoing since April 2023, the attack exploited historical domain registrations, exposing deep-rooted vulnerabilities. The identity of perpetrators remains unknown, and the exposures possibly intersect similar attacks, like those targeting Google Drive and OneDrive.