Hackers compromised several Chrome extensions, including one developed by Cyberhaven, through a phishing attack that occurred on December 24, 2024, gaining access to admin accounts and modifying the extensions with malicious code.
Details of the Cyberhaven attack
Cyberhaven confirmed in a blog post that its extension was targeted, with the attack actively impacting users from 1:32 AM UTC on December 25 until 2:50 AM UTC on December 26. The malicious version was published on Christmas Eve, using compromised credentials to publish version 24.10.4.
The breach was detected on December 25, and Cyberhaven removed the malicious extension within an hour. Cyberhaven notified affected customers on December 26, advising them to revoke and rotate their passwords and other credentials. The attack appeared to focus on stealing data from Facebook Ads users, including access tokens, user IDs, and cookies, to aid in bypassing two-factor authentication.
This incident is part of a broader campaign targeting known Chrome extensions, with at least 16 extensions compromised and over 600,000 users affected. Additional extensions that were identified as compromised include ParrotTalks, Uvoice, and VPNCity, among others.
The phishing attack aimed to induce urgency by suggesting impending removal of the extension, luring the Cyberhaven employee to authorize a malicious OAuth application named “Privacy Policy Extension.” After this authorization, the attacker gained requisite permissions to publish the malicious extension.
Cyberhaven stated that they engaged an external incident response firm and are cooperating with federal law enforcement. They have implemented additional security measures to prevent similar incidents and published a clean version (24.10.5) of the extension after removing the compromised version.
Customers using the compromised extension were advised to verify the update to version 24.10.5 or newer and review their logs for any suspicious activity.
Featured image credit: Kerem Gülen/Midjourney
