Cybersecurity company SquareX says a malicious version of Cyberhaven’s browser extension was published on the Chrome Store on Christmas Day, allowing the attacker to hijack authenticated sessions and exfiltrate confidential information.
At the time, SquareX reported large-scale attacks targeting Chrome Extension developers aimed at taking over the Chrome Extension from the Chrome Store.
The malicious extension was available for download for more than 30 hours before being removed by Cyberhaven. The data loss prevention company declined to comment on the extent of the impact when approached by the press, but the extension had over 400,000 users on the Chrome Store at the time of the attack.
It is unfortunate that the attack took place as SquareX’s researchers had identified the very same attack with a video demonstrating the entire attack pathway just a week before the Cyberhaven breach.
The attack begins with a phishing email impersonating Chrome Store containing a supposed violation of the platform’s Developer Agreement. The email urges the receiver to accept the policies to prevent their extension from being removed from the Chrome Store.
Upon clicking on the policy button, the user gets prompted to connect their Google account to a Privacy Policy Extension, which grants the attacker access to edit, update and publish extensions on the developer’s account.
Extensions have become an increasingly popular way for attackers to gain initial access. This is because most organisations have limited purview on what browser extensions their employees are using. Even the most rigorous security teams typically do not monitor subsequent updates once an extension is whitelisted.
SquareX has conducted extensive research and demonstrated at DEFCON 32, how MV3 compliant extensions can be used to steal video stream feeds, add a silent GitHub collaborator and steal session cookies, among others.
Attackers can easily create a seemingly harmless extension and later convert it into a malicious one post-installation or, as demonstrated in the attack above, deceive the developers behind a trusted extension to gain access to one that already has hundreds of thousands of users. In Cyberhaven’s case, attackers could steal company credentials across multiple websites and web apps through the malicious version of the extension.
Given that developer emails are publicly listed on Chrome Store, it is easy for attackers to target thousands of extension developers at once. These emails are typically used for bug reporting. Thus, even support emails listed for extensions from larger companies are usually routed to developers who may not have the level of security awareness required to find suspicion in such an attack.
As per SquareX’s attack disclosure and the Cyberhaven breach occurred within a span of less than two weeks, the company has strong reason to believe that many other browser extension providers are being attacked in the same way. SquareX urges companies and individuals alike to conduct careful inspection before installing or updating any browser extensions.
The company acknowledges that it can a big task to evaluate and monitor every single browser extension in the workforce amidst all the competing security priorities, especially when it comes to zero-day attacks. As demonstrated in the video, the fake privacy policy app involved in Cyberhaven’s breach was not even detected by any popular threat feeds.
“Identity attacks targeting browser extensions similar to this OAuth attack will only become more prevalent as employees rely on more browser-based tools to be productive at work,” said SquareX’s Founder Vivek Ramachandran. “Similar variants of these attacks have been used in the past to steal cloud data from apps like Google Drive and One Drive and we will only see attackers get more creative in exploiting browser extensions.”
“Companies need to remain vigilant and minimise their supply chain risk without hampering employee productivity by equipping them with the right browser native tools,” he adds.
