Introduction
A sophisticated data theft campaign has been identified, targeting Google Chrome users through the compromise of multiple browser extensions. This attack, affecting millions globally, underscores the vulnerabilities inherent in browser extensions and the need for enhanced security measures.
Description
Security researchers have confirmed an ongoing and sophisticated data theft campaign targeting Google Chrome users, involving the compromise of at least 35 browser extensions and potentially impacting approximately 2.6 million users globally [13]. The attack, which began on December 24, 2024 [4], was publicly disclosed by cybersecurity startup Cyberhaven on December 27, 2024, following a phishing incident that allowed hackers to gain developer access to the Chrome Web Store [13]. An admin from Cyberhaven was phished through a deceptive email impersonating Google, falsely warning of potential extension removal for policy violations and creating a sense of urgency for action. This led to a phishing link that directed the employee to a legitimate-looking Google login page for a malicious OAuth application named “Privacy Policy Extension,” which requested permissions to manage Chrome Web Store extensions. By granting these permissions [2] [3] [9] [11], the attacker was able to upload a malicious version of Cyberhaven’s official extension (version 24.10.4) on December 25, 2024, that bypassed Google’s security checks [5].
The malicious extension was available for over 30 hours and was engineered to capture sensitive information, including Facebook IDs, access tokens [4] [6] [7] [8] [12] [13], and other account details, particularly targeting corporate Facebook business accounts. The modified extensions were then distributed via automatic updates on the Chrome Web Store, leading to the unknowing exposure of users’ Facebook accounts to the malicious code [12], which exfiltrated data to the attackers’ command-and-control servers [4] [12], including one identified as “cyberhavenext[ ]pro.” The primary objective of the attack appeared to be the exploitation of Facebook Ads accounts, as indicated by the malicious extension’s code [6], which sought to obtain access tokens and account information for financial gain, as well as to facilitate disinformation or phishing activities on the platform [4].
Although the employee’s Google account remained secure due to multi-factor authentication and Google Advanced Protection [6], the breach allowed the attackers to steal sensitive information [11], including passwords and cookies [11], leading to account takeovers [11]. Cyberhaven’s security team detected the compromise shortly after it occurred and removed the malicious package within an hour [6], underscoring the importance of timely updates and vigilant monitoring of software integrity [10]. However, evidence suggests that similar malicious code has been present in other extensions dating back to March 2024, with some compromised extensions [1] [6] [9] [13], including a keylogger [6], published as recently as October 6, 2023 [6]. Notable affected extensions include “AI Assistant – ChatGPT and Gemini for Chrome,” “GPT 4 Summary with OpenAI,” “Reader Mode,” “Internxt VPN,” “VPNCity,” and “AI Shop Buddy.” A total of 35 extensions were identified as compromised, affecting over 2.6 million users [1] [2] [9]. While many malicious extensions have been removed and replaced with legitimate versions [6], some remain unaddressed [6], indicating that the threat landscape continues to evolve. Security researchers [2] [6] [9], including Jaime Blasco from Nudge Security [6], have indicated that other extensions are likely affected [6], underscoring the need for ongoing vigilance in the Chrome Web Store ecosystem.
In response to the breach [7], Cyberhaven released a legitimate update (version 24.10.5) [7], engaged Mandiant for incident response planning [7], and notified federal law enforcement for investigation [7]. Users and organizations are advised to uninstall or update the compromised extensions, reset passwords [9], revoke active sessions [9], and monitor for unusual activity [9]. Developers are encouraged to enhance application security measures and remain vigilant against phishing attempts. The attack highlights the vulnerability of browser extensions, which have become a popular vector for attackers due to limited organizational oversight on employee usage [8]. Developer emails [8], often publicly listed on the Chrome Store for bug reporting, can be easily targeted by attackers, making it crucial for developers to maintain security awareness.
The incident underscores the vulnerabilities in trusted platforms like the Chrome Web Store and the OAuth system [3], which [1] [2] [3] [4] [5] [6] [7] [11] [12] [13], while designed for secure third-party app integration [3], can be exploited due to developers’ lack of understanding of the permissions they grant [3]. Google Chrome employs app-bound encryption and various security measures [13], including safe browsing [13], device-bound session credentials [13], and account-based threat detection features [13], emphasizing that security keys offer stronger protection against phishing and social engineering attacks compared to traditional two-factor authentication methods [13]. To mitigate future risks [3] [11], experts recommend implementing Version Pinning to prevent automatic updates from installing malicious versions and remaining vigilant against similar vulnerabilities in other software ecosystems [11], such as IDE extensions and code packages [11]. Additionally, strengthening OAuth authorization flows with extra verification layers and increasing monitoring of Chrome Web Store activities for unusual extension updates are essential steps to enhance security. This incident serves as a stark reminder of the risks in the interconnected digital ecosystem [3], where trust in widely used platforms can be exploited by malicious actors [3], highlighting the urgent need for improved security practices and collaboration among developers [3], users [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13], and platform providers to defend against future threats [3].
Conclusion
The data theft campaign targeting Google Chrome users highlights significant security vulnerabilities in browser extensions and trusted platforms. The incident emphasizes the necessity for robust security measures [10], including enhanced monitoring, improved authorization processes, and increased awareness among developers and users. As the digital landscape continues to evolve, collaboration among stakeholders is crucial to mitigate risks and protect against future threats.
References
[1] https://thesecmaster.com/blog/chrome-extension-security-breach-exposes-millions-of-users-to-potential-data-thef
[2] https://www.infosecurity-magazine.com/news/chrome-browser-extensions-hijacked/
[3] https://www.allaboutai.com/ai-news/chrome-users-beware-hackers-compromise-35-popular-extensions/
[4] https://nsaneforums.com/news/security-privacy-news/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions-r27203/
[5] https://www.techradar.com/pro/security/google-chrome-extensions-hack-may-have-started-much-earlier-than-expected
[6] https://www.techtarget.com/searchSecurity/news/366617636/Dozens-of-Chrome-extensions-hacked-in-threat-campaign
[7] https://intruceptlabs.com/2025/01/sophisticated-phishing-attack-exposed-over-600000-users-to-data-theft-16-chrome-extensions-hacked/
[8] https://www.csoonline.com/article/3630665/squarex-researchers-expose-oauth-attack-on-chrome-extensions-days-before-major-breach.html
[9] https://cybersecuritynews.com/35-google-chrome-extensions-hacked/
[10] https://www.gadgetinsiders.com/google/how-your-favorite-chrome-extensions-could-be-stealing-your-info/
[11] https://www.techzine.eu/news/security/127501/cyberhaven-breach-caused-by-malicious-chrome-extension/
[12] https://www.techmonitor.ai/technology/cybersecurity/35-chrome-extensions-hacked
[13] https://www.forbes.com/sites/daveywinder/2025/01/02/critical-google-chrome-warning-for-26-million-as-2fa-hackers-attack/
