FlagThis - #chrome

Security firm SquareX exposed a significant vulnerability in the OAuth implementation of Google Chrome extensions just days before a major breach occurred. The flaw allowed malicious actors to inject harmful code into extensions using a sophisticated phishing campaign. This campaign involved emails disguised as Chrome Store notifications regarding policy violations, prompting developers to connect their Google account to a fake "Privacy Policy Extension". This fake extension, in turn, granted attackers the ability to edit, update, and publish extensions on the developer's account, effectively hijacking them.

The identified attack vector was demonstrated by SquareX researchers in a video just before a malicious version of Cyberhaven’s browser extension was found on the Chrome store. This malicious extension was available for over 30 hours and affected over 400,000 users before it was removed by Cyberhaven. The incident highlights the increasing risk that browser extensions pose, as most organizations don't monitor what extensions their employees are using, making them a common target for cybercriminals.


References :

• www.techmeme.com: Experts say hackers compromised several companies' Chrome browser extensions, including Cyberhaven's, in a series of intrusions dating back to mid-December
• SiliconANGLE: Hackers compromise Chrome extensions with 400,000+ users
• Techmeme: Experts say hackers compromised several companies' Chrome browser extensions, including Cyberhaven's, in a series of intrusions dating back to mid-December (Reuters)
• www.channelnewsasia.com: Hackers hijack a wide range of companies' Chrome extensions, experts say.
• BleepingComputer: At least five Chrome extensions were compromised in a coordinated attack where a threat actor injected code that steals sensitive information from users.
• www.bleepingcomputer.com: Cybersecurity firm’s Chrome extension hijacked to steal user data
• siliconangle.com: Hackers have compromised several popular Chrome extensions with hundreds of thousands of users, TechCrunch reported today.
• techcrunch.com: Data-loss prevention startup Cyberhaven says hackers published a malicious update to its Chrome extension that was capable of stealing customer passwords and session tokens
• infosec.exchange: Data-loss prevention startup Cyberhaven said hackers took over its official Chrome extension, pushing a malicious version designed to steal passwords and session tokens.
• www.benzinga.com: Google Chrome Users Beware This Holiday Season: Cyber Security Firm's Browser Extension Hijacked By Attackers
• www.neowin.net: Cyberhaven Chrome extension targeted by hack, company admits
• gbhackers.com: Cyberhaven, a prominent cybersecurity company, disclosed that its Chrome extension With 400,000+ users was targeted in a malicious cyberattack on Christmas Eve 2024
• www.engadget.com: Hackers injected malicious code into several Chrome extensions in recent attack
• gbhackers.com: Cyberhaven Hacked – Chrome Extension With 400,000 users Compromised
• ciso2ciso.com: 16 Chrome Extensions Hacked, Exposing Over 600,000 Users to Data Theft – Source:thehackernews.com
• Dataconomy: Over 600,000 users exposed in Chrome hack: Are you one of them?
• DMR News: Hackers Use Chrome Extensions to Steal User Data
• The Hacker News: When Good Extensions Go Bad: Takeaways from the Campaign Targeting Browser Extensions
• Mashable: Mashable reports on hackers taking over Google Chrome extensions in a cyberattack.
• Alex Jimenez: Hackers take over Google Chrome extensions in cyberattack Malicious code was inserted into Chrome extensions in a phishing campaign.
• bgr.com: Hackers are hijacking Chrome extensions in an attempt to steal your data
• ciso2ciso.com: SquareX Researchers Expose OAuth Attack on Chrome Extensions Days Before Major Breach – Source:hackread.com
• The Last Watchdog: SquareX exposes OAuth attack on Chrome extensions, days before a major breach.
• www.lastwatchdog.com: News alert: SquareX exposes OAuth attack on Chrome extensions — days before a major breach
• ciso2ciso.com: SquareX Researchers Expose OAuth Attack on Chrome Extensions Days Before Major Breach – Source:hackread.com
• Pyrzout :vm:: SquareX Researchers Expose OAuth Attack on Chrome Extensions Days Before Major Breach
• labs.sqrx.com: OAuth Identity Attack — Are your Extensions Affected?
• osint10x.com: SquareX Researchers Expose OAuth Attack on Chrome Extensions Days Before Major Breach
• iHLS: Massive Ongoing Chrome Extension Hack Affects Over Two Million Users
• bsky.app: New details have emerged about a phishing campaign targeting Chrome browser extension developers that led to the compromise of at least thirty-five extensions to inject data-stealing code, including those from cybersecurity firm Cyberhaven. https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/
• www.bleepingcomputer.com: New details have emerged about a phishing campaign targeting Chrome browser extension developers
• BleepingComputer: New details have emerged about a phishing campaign targeting Chrome browser extension developers that led to the compromise of at least thirty-five extensions to inject data-stealing code, including those from cybersecurity firm Cyberhaven.
• Pyrzout :vm:: Dozens of Chrome Extensions Hacked, Exposing Millions of Users to Data Theft – Source:thehackernews.com
• ciso2ciso.com: Hacking campaign compromised at least 16 Chrome browser extensions – Source: securityaffairs.com
• ciso2ciso.com: Dozens of Chrome Browser Extensions Hijacked by Data Thieves – Source: www.infosecurity-magazine.com
• ciso2ciso.com: ciso2ciso Article on Chrome Browser Extensions Hijacked
• Latest from TechRadar: The recent cyberattack which hit security firm Cyberhaven and then affected a number of Google Chrome extenions may have been part of a ‘wider …
• securityonline.info: In a detailed report from Team Axon—led by Alon Klayman and Uri Kornitzer—researchers have revealed on a sophisticated

Classification:

• HashTags: #ChromeExtension #ZeroDay #OAuthAttack
• Company: Google
• Target: Chrome users
• Product: Chrome Extensions
• Feature: OAuth
• Type: 0Day
• Severity: Major

Google Chrome has introduced a new layer of security, integrating AI into its existing "Enhanced protection" feature. This update provides real-time defense against dangerous websites, downloads, and browser extensions, marking a significant upgrade to Chrome's security capabilities. The AI integration allows for immediate analysis of patterns, enabling the identification of suspicious webpages that may not yet be classified as malicious.

This AI-powered security feature is an enhancement of Chrome's Safe Browsing. The technology apparently enables real-time analysis of patterns to identify suspicious or dangerous webpages. The improved protection also extends to deep scanning of downloads to detect suspicious files.


References :

• BleepingComputer: Google Chrome has updated the existing "Enhanced protection" feature with AI to offer "real-time" protection against dangerous websites, downloads and extensions.
• Anonymous ???????? :af:: Google Chrome has updated the existing "Enhanced protection" feature with AI to offer "real-time" protection against dangerous websites, downloads and extensions.
• PCWorld: Google Chrome adds real-time AI protection against dangerous content

Classification:

• HashTags: #GoogleChrome #AI #Security
• Company: Google
• Target: Chrome Users
• Product: Chrome
• Feature: real-time AI protection
• Type: ProductUpdate
• Severity: Informative

A recent cybersecurity investigation has uncovered a cluster of 16 malicious Chrome extensions that have compromised at least 3.2 million users. These extensions, which include functionalities like screen capture, ad blocking, and emoji keyboards, were found to inject code into browsers, facilitating advertising and search engine optimization fraud. GitLab's security team discovered these extensions on the official Google Web Store and were used to insert ads and manipulate search engine results.

The malicious extensions operate by checking in with unique configuration servers, transmitting extension versions and hardcoded IDs, and storing configuration data locally. They also create alarms to refresh this data periodically and degrade browser security by stripping Content Security Policy (CSP) protections. Following the discovery, Google was notified, and all identified extensions have been removed from the Chrome Web Store. However, users must manually uninstall these extensions as removal from the store does not trigger automatic uninstalls.


References :

• bsky.app: GitLab's security team has discovered a cluster of 16 malicious Chrome extensions on the official Google Web Store. The extensions were used to insert ads and manipulate search engine results. Over 3.2 million users downloaded the extensions
• gbhackers.com: A recent cybersecurity investigation has uncovered a cluster of 16 malicious Chrome extensions that have compromised at least 3.2 million users. These extensions, which include functionalities like screen capture, ad blocking, and emoji keyboards, were found to inject code into browsers, facilitating advertising and search engine optimization fraud.
• Cyber Security News: Chrome Under Siege: 16 Malicious Extensions Infect Over 3.2 Million Users

Classification:

• HashTags: #Chrome #Malware #BrowserSecurity
• Company: Google
• Target: Chrome Users
• Product: Chrome
• Feature: browser extension
• Malware: Malicious Chrome Extensions
• Type: Malware
• Severity: Medium