Cybercriminals have launched a massive attack on Chrome browser extensions, potentially compromising over 2.5 million users’ data, instead of using fake extensions in the Chrome Web Store, by infecting legitimate apps with malicious code.
Hackers’ Methods for Targeting Developers to Insert Malicious Code into Authentic Extensions
Cyberhaven, a data protection company, confirmed a breach affecting 26 browser extensions installed by over 2.5 million users. The attacks targeted VPN and AI-based extensions, with the number expected to increase in the coming week.
Cybercriminals targeting Chrome Web Store developers are conducting a unique campaign targeting legitimate apps with malicious code. The campaign, which began in mid-December and continues to unravel, aims to steal user information at scale, unlike other browser extension attacks where fake apps are created.
Black hat hackers send phishing emails to browser extension companies and developers, pretending to be Google Chrome Web Store Developer Support. These emails falsely claim their extensions are at risk of removal due to a violation of Developer Program Policies. The emails trick developers into giving away sensitive data, which is then loaded into a legitimate app to steal users’ cookies and access tokens.
Which browser add-ons have been compromised?
The following browser extensions were identified by Secure Annex cybersecurity researchers as affected; some of these have subsequently been fixed in the Chrome App Store:
- VPNCity
- Parrot Talks
- Uvoice
- Internxt VPN
- Bookmark Favicon Changer
- Castorus
- Wayin AI
- Search Copilot AI Assistant for Chrome
- VidHelper – Video Downloader
- AI Assistant—ChatGPT and Gemini for Chrome
- Vidnoz Flex – Video Recorder & Video Share
- TinaMind—the GPT-4o-powered AI Assistant!
- Bard AI chat
- Reader Mode
- Primus (prev. PADO)
- Tackker—an online keylogger tool
- AI Shop Buddy
- Sort by Oldest
- Rewards Search Automator
- Earny – Up to 20% Cash Back
- ChatGPT Assistant—Smart Search
- Keyboard History Recorder
- Email Hunter
- Visual Effects for Google Meet
- Cyberhaven security extension V3
- GraphQL Network Inspector
- GPT-4 Summary with OpenAI
- Vidnoz Flex – Video Recorder & Video Share
- YesCaptcha assistant
Over 2.5 million users of web browser extensions are at risk of being breached. Malicious code analysis reveals attacker-controlled servers are being used to steal data and redirect to malicious domains. Cybersecurity researchers are still trying to understand the majority of the code, as hackers have obfuscated it. The number of breached extensions could increase in the coming days.
Threat actors are reportedly stealing session cookies to bypass Google 2FA sessions, redirecting users to fake sites through search query takeovers and redirections, potentially leading to identity and credential theft, activity tracking, and remote command execution, allowing threat actors to take over users’ browsers.
Advanced Browser Hijacking
The identity of the cyber attacker behind a wave of attacks targeting browser extension developers remains unknown. As attacker techniques evolve, other threat actors may join in, potentially using email phishing as the primary attack vector.
Browser extension hijacking is a common issue in cybersecurity, but loading malicious code into legitimate apps is rare. Chrome’s official site is removing browser extensions to prevent malware downloads while developers work on patches. Cybersecurity teams and companies are still catching up due to the scale of the attack, which may be an automated vector of attack.
Threat actors have access to a large list of emails belonging to browser extension developers, which are likely being used to spread phishing campaigns. These emails are typically used to report bugs and are publicly listed on the Chrome Store. It’s unclear if the threat actor obtained the information from another breach or leak. AI software developer Tirath Ramdas discussed browser extension security.
Browser extensions, often perceived as plugins, can intercept user-related content on every web page. Consumers are becoming more aware of the risks of downloading and running software from the internet, but browser extensions and web service workers still have a privileged position. While browsers and operating systems protect users from malware, this awareness does not extend to browser extensions.
The Bottom Line: Safety Tips
The widespread campaign linked to numerous websites, IPs, and domains has identified various hacking techniques, making it impossible to deploy a single security patch or unique solution. Users should uninstall impacted browser extensions, clear their cache, and reinstall if patched.
Users should review browser extensions’ permissions, change passwords, and enable multi-factor authentication for those affected. Developers and browser extension companies face challenges in auditing their extensions to ensure their integrity. Cybercriminals often exploit browsers as a treasure trove for personal information, so it’s crucial to be cautious when installing extensions. Ensure to only install familiar ones, avoid low-user extensions, and read user reviews before installing them on your browser.
