What just happened? Cybersecurity researchers have uncovered a widespread attack targeting browser extensions in the Chrome Web Store during the holiday season. The campaign affected at least 33 extensions and potentially compromised data from approximately 2.6 million devices. The breach came to light when Cyberhaven, a data loss prevention service, identified malicious code embedded in one of its own extensions.
The attack, which began on Christmas Eve, exploited a vulnerability in the Chrome Web Store's developer authentication system. Attackers used sophisticated spear-phishing techniques to gain access to the accounts of extension developers, enabling them to upload malicious versions of popular extensions.
Cyberhaven's extension, designed to prevent users from inadvertently entering sensitive data into emails or websites, was one of the first to be compromised. "Our team has confirmed a malicious cyberattack that occurred on Christmas Eve, affecting Cyberhaven's Chrome extension," the company stated. "Public reports suggest this attack was part of a wider campaign targeting Chrome extension developers across a wide range of companies."
The compromised version of Cyberhaven's extension, version 24.10.4, was available for 31 hours, from December 25 to December 26. During this period, Chrome browsers with Cyberhaven installed would automatically download and execute the malicious code. Analysis of the extension revealed it was designed to interact with different payloads that were downloaded from a malicious site mimicking Cyberhaven's official domain.
Cyberhaven breach reported. Employee phished and pushed malicious chrome extension.
– Christopher Stanley (@cstanley) December 26, 2024
Command and Control:
149.28.124.84
cyberhavenext[.]pro
File Hashes:
content.js AC5CC8BCC05AC27A8F189134C2E3300863B317FB
worker.js 0B871BDEE9D8302A48D6D6511228CAF67A08EC60
As researchers delved deeper into the attack, they found that it extended far beyond Cyberhaven. John Tuckner, founder of Secure Annex, a browser extension analysis and management firm, reported that at least 19 other Chrome extensions had been similarly compromised. The attackers employed the same spear-phishing campaign and used custom look-alike domains to issue payloads and harvest authentication credentials.
The collective impact of these compromised extensions is staggering, with an estimated 1.46 million downloads across the 20+ affected extensions. This attack is also not an isolated incident. A similar campaign targeted both Chrome and Firefox extensions in 2019, compromising four million devices, including those within networks of major companies like Tesla, Blue Origin, and Symantec.
Here's a compilation of known extensions to have been compromised (thanks Ars Technica), with further updates available here. If you used any of these, you should update passwords and other login credentials:
| Name | ID | Version | Patch | Available | Users | Start | End |
|---|---|---|---|---|---|---|---|
| VPNCity | nnpnnpemnckcfdebeekibpiijlicmpom | 2.0.1 | FALSE | 10,000 | 12/12/24 | 12/31/24 | |
| Parrot Talks | kkodiihpgodmdankclfibbiphjkfdenh | 1.16.2 | TRUE | 40,000 | 12/25/24 | 12/31/24 | |
| Uvoice | oaikpkmjciadfpddlpjjdapglcihgdle | 1.0.12 | TRUE | 40,000 | 12/26/24 | 12/31/24 | |
| Internxt VPN | dpggmcodlahmljkhlmpgpdcffdaoccni | 1.1.1 | 1.2.0 | TRUE | 10,000 | 12/25/24 | 12/29/24 |
| Bookmark Favicon Changer | acmfnomgphggonodopogfbmkneepfgnh | 4.00 | TRUE | 40,000 | 12/25/24 | 12/31/24 | |
| Castorus | mnhffkhmpnefgklngfmlndmkimimbphc | 4.40 | 4.41 | TRUE | 50,000 | 12/26/24 | 12/27/24 |
| Reader Mode | llimhhconnjiflfimocjggfjdlmlhblm | 1.5.7 | FALSE | 300,000 | 12/18/24 | 12/19/24 | |
| Tackker - online keylogger tool | ekpkdmohpdnebfedjjfklhpefgpgaaji | 1.3 | 1.4 | TRUE | 10,000 | 10/6/23 | 8/13/24 |
| AI Shop Buddy | epikoohpebngmakjinphfiagogjcnddm | 2.7.3 | TRUE | 4,000 | 4/30/24 | ||
| Sort by Oldest | miglaibdlgminlepgeifekifakochlka | 1.4.5 | TRUE | 2,000 | 1/11/24 | ||
| Rewards Search Automator | eanofdhdfbcalhflpbdipkjjkoimeeod | 1.4.9 | TRUE | 100,000 | 5/4/24 | ||
| Earny - Up to 20% Cash Back | ogbhbgkiojdollpjbhbamafmedkeockb | 1.8.1 | TRUE | 100,000 | 4/5/23 | ||
| ChatGPT Assistant - Smart Search | bgejafhieobnfpjlpcjjggoboebonfcg | 1.1.1 | TRUE | 189 | 2/12/24 | ||
| Keyboard History Recorder | igbodamhgjohafcenbcljfegbipdfjpk | 2.3 | TRUE | 5,000 | 7/29/24 | ||
| Email Hunter | mbindhfolmpijhodmgkloeeppmkhpmhc | 1.44 | TRUE | 100,000 | 9/17/24 | ||
| Visual Effects for Google Meet | hodiladlefdpcbemnbbcpclbmknkiaem | 3.1.3 | 3.2.4 | TRUE | 900,000 | 6/13/23 | 1/10/24 |
| ChatGPT App | lbneaaedflankmgmfbmaplggbmjjmbae | 1.3.8 | TRUE | 7,000 | 9/3/24 | ||
| Web Mirror | eaijffijbobmnonfhilihbejadplhddo | 2.4 | TRUE | 4,000 | 10/13/23 | ||
| Hi AI | hmiaoahjllhfgebflooeeefeiafpkfde | 1.0.0 | TRUE | 229 | 7/29/24 |
Further investigation revealed an even more alarming trend. One of the compromised extensions, Reader Mode, had been part of a separate campaign dating back to at least April 2023. This earlier compromise was linked to a monetization code library that collected detailed data on every web visit a browser makes. Tuckner identified 13 Chrome extensions, with a combined 1.14 million installations, that had used this library to collect potentially sensitive data.
The incident has sparked discussions on how to better secure browser extensions. Tuckner suggests one potential solution: organizations could implement a browser asset management list, allowing only selected extensions to run while blocking all others.