As many of us celebrated the year-end holidays, a small group of researchers worked overtime tracking a startling discovery: At least 33 browser extensions hosted in Google’s Chrome Web Store, some for as long as 18 months, were surreptitiously siphoning sensitive data from roughly 2.6 million devices.
The compromises came to light with the discovery by data loss prevention service Cyberhaven that a Chrome extension used by 400,000 of its customers had been updated with code that stole their sensitive data.
‘Twas the night before Christmas
The malicious extension, available as version 24.10.4, was available for 31 hours, starting on December 25 at 1:32 AM UTC to Dec 26 at 2:50 AM UTC. Chrome browsers actively running the Cyberhaven during that window would automatically download and install the malicious code. Cyberhaven responded by issuing version 24.10.5, and a few days later 24.10.6.
The Cyberhaven extension is designed to prevent users from inadvertently entering sensitive data into emails or websites they visit. Analyses of version 24.10.4 showed that it was configured to work with different payloads that were downloaded from cyberhavenext[.]pro, a malicious site the threat actor registered to give the appearance it was affiliated with the company. One recovered payload, Cyberhaven said, scoured user devices for browser cookies and authentication credentials for the facebook.com domain. A separate payload recovered by security firm Secure Annex stole cookies and credentials for chatgpt.com; Cyberhaven said the payload didn’t appear functional.
The malicious version came through a spear phishing email sent to the developers Google listed for the Cyberhaven extension on Christmas Eve. It warned that the extension wasn’t in compliance with Google terms and would be revoked unless the developer took immediate action.
Title: Time to check if you ran any of these 33 malicious Chrome extensions
URL: https://arstechnica.com/security/2025/01/dozens-of-backdoored-chrome-extensions-discovered-on-2-6-million-devices/
Source: Ars Technica – All content
Source URL: https://arstechnica.com
Date: January 3, 2025 at 01:59PM
Feedly Board(s): Technologie