Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Supply Chain Security

Several Chrome Extensions Compromised in Supply Chain Attack

Cyberhaven and other Chrome extensions were compromised in a supply chain attack targeting Facebook advertising users.

Chrome

Malicious versions of Cyberhaven and other Chrome extensions were published to the Google Chrome Web Store as part of a supply chain attack likely targeting Facebook advertising users.

The extension of data security firm Cyberhaven was compromised after an employee fell victim to a phishing attack and authorized a malicious OAuth application called ‘Privacy Policy Extension’ to Cyberhaven’s Chrome Web Store account.

Purporting to come from the Chrome Web Store, the phishing message was sent to the registered support email, claiming that the extension’s description contained excessive keywords and that it would be removed from the store.

After clicking on the link in the message, the employee was taken through the standard Google authorization process and they inadvertently gave the malicious third-party application permissions to access the developer account.

“The employee had Google Advanced Protection enabled and had MFA covering his account. The employee did not receive a MFA prompt. The employee’s Google credentials were not compromised,” Cyberhaven explains.

The attackers then used these permissions to publish a malicious version of the extension to the Chrome Web Store, which was available for download for over 24 hours between December 25 and December 26.

The malicious version, namely 24.10.4, was removed from the store immediately after the attack was discovered and was replaced with version 24.10.5, which is clean.

While it was listed in the Chrome Web Store, the malicious iteration was distributed to users who had the auto-update feature enabled.

Advertisement. Scroll to continue reading.

“Our investigation has confirmed that no other Cyberhaven systems, including our CI/CD processes and code signing keys, were compromised,” Cyberhaven says.

The malicious extension appears to have targeted Facebook.com advertising users, collecting and exfiltrating access tokens, user IDs, account information via the Facebook API, business accounts, and ad account information.

Additionally, the malicious code added a mouse click listener for Facebook.com, so that it would retrieve all images when the user clicked on a relevant page. Based on how it was processing the retrieved images, the code presumably searched for QR codes to bypass captchas and/or 2FA authorization requests, Cyberhaven says.

Cyberhaven has raised more than $136 million and was valued at $488 million when the company raised $88 million via a Series C funding round in June 2024.

In a LinkedIn post, Nudge Security co-founder and CTO Jaime Blasco noted that other Chrome extensions were compromised as well, and that the threat actor created multiple fraudulent domains within a short time frame, all of which were hosted on the same IP address. At least five other compromised Chrome extensions were identified, including Internxt VPN, VPNCity, Uvoice and ParrotTalks.

Related: Solana Web3.js Library Backdoored in Supply Chain Attack

Related: Botnet of 190,000 BadBox-Infected Android Devices Discovered

Related: SEC Charges Four Companies Over Misleading Disclosures on SolarWinds Hack

Related: How Exceptional CISOs Are Igniting the Security Fire in Their Development Team

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.