Malicious versions of Cyberhaven and other Chrome extensions were published to the Google Chrome Web Store as part of a supply chain attack likely targeting Facebook advertising users.
The extension of data security firm Cyberhaven was compromised after an employee fell victim to a phishing attack and authorized a malicious OAuth application called ‘Privacy Policy Extension’ to Cyberhaven’s Chrome Web Store account.
Purporting to come from the Chrome Web Store, the phishing message was sent to the registered support email, claiming that the extension’s description contained excessive keywords and that it would be removed from the store.
After clicking on the link in the message, the employee was taken through the standard Google authorization process and they inadvertently gave the malicious third-party application permissions to access the developer account.
“The employee had Google Advanced Protection enabled and had MFA covering his account. The employee did not receive a MFA prompt. The employee’s Google credentials were not compromised,” Cyberhaven explains.
The attackers then used these permissions to publish a malicious version of the extension to the Chrome Web Store, which was available for download for over 24 hours between December 25 and December 26.
The malicious version, namely 24.10.4, was removed from the store immediately after the attack was discovered and was replaced with version 24.10.5, which is clean.
While it was listed in the Chrome Web Store, the malicious iteration was distributed to users who had the auto-update feature enabled.
“Our investigation has confirmed that no other Cyberhaven systems, including our CI/CD processes and code signing keys, were compromised,” Cyberhaven says.
The malicious extension appears to have targeted Facebook.com advertising users, collecting and exfiltrating access tokens, user IDs, account information via the Facebook API, business accounts, and ad account information.
Additionally, the malicious code added a mouse click listener for Facebook.com, so that it would retrieve all images when the user clicked on a relevant page. Based on how it was processing the retrieved images, the code presumably searched for QR codes to bypass captchas and/or 2FA authorization requests, Cyberhaven says.
Cyberhaven has raised more than $136 million and was valued at $488 million when the company raised $88 million via a Series C funding round in June 2024.
In a LinkedIn post, Nudge Security co-founder and CTO Jaime Blasco noted that other Chrome extensions were compromised as well, and that the threat actor created multiple fraudulent domains within a short time frame, all of which were hosted on the same IP address. At least five other compromised Chrome extensions were identified, including Internxt VPN, VPNCity, Uvoice and ParrotTalks.
Related: Solana Web3.js Library Backdoored in Supply Chain Attack
Related: Botnet of 190,000 BadBox-Infected Android Devices Discovered
Related: SEC Charges Four Companies Over Misleading Disclosures on SolarWinds Hack
Related: How Exceptional CISOs Are Igniting the Security Fire in Their Development Team
