In a sophisticated cyberattack campaign that began in mid-December, hackers have compromised at least 16 Chrome browser extensions, exposing over 600,000 users to potential data theft.
The breach, which came to light through a series of reports and statements from affected companies, has raised significant concerns about the security of browser extensions.
Cyberhaven, a California-based data protection company, was among the first to confirm the breach. The company disclosed that on Christmas Eve, a phishing attack compromised an employee’s credentials, allowing hackers to publish a malicious version of their Chrome extension (version 24.10.4).
Possible Chrome Extensions Affected
This version contained code designed to steal sensitive information, including passwords and session tokens, particularly targeting social media advertising and AI platforms.
The attack was not isolated to Cyberhaven. Cybersecurity experts, including Jaime Blasco from Nudge Security, have identified several other similarly compromised extensions.
These include extensions related to VPNs, AI, productivity, and even video downloaders, suggesting a broad, opportunistic approach by hackers to collect as much sensitive data as possible.
Here is a table listing the Chrome extensions that were possibly affected by the recent cyberattack:
| Extension Name | Category |
|---|---|
| AI Assistant – ChatGPT and Gemini | AI |
| Bard AI Chat Extension | AI |
| GPT 4 Summary with OpenAI | AI |
| Search Copilot AI Assistant for Chrome | AI |
| TinaMInd AI Assistant | AI |
| Wayin AI | AI |
| VPNCity | VPN |
| Internxt VPN | VPN |
| Vindoz Flex Video Recorder | Productivity |
| VidHelper Video Downloader | Productivity |
| Bookmark Favicon Changer | Productivity |
| Castorus | Productivity |
| Uvoice | Productivity |
| Reader Mode | Productivity |
| Parrot Talks | Productivity |
| Primus | Productivity |
This table includes extensions related to AI, VPNs, and productivity tools, which were identified as potentially compromised in the attack campaign.
The malicious code was active for approximately 25 hours, from December 24 to December 26, 2024, affecting only those Chrome installations that automatically updated during this period.
Cyberhaven’s internal security team detected the intrusion on Christmas Day and promptly removed the malicious extension from the Chrome Web Store, replacing it with a secure version (24.10.5).
Cyberhaven has taken several steps in response to the breach:
- Notified affected customers on December 26.
- Engaged an external incident response firm, Mandiant, for forensic analysis.
- Implemented additional security measures to prevent future incidents.
- Advised customers to update their extensions, rotate passwords, and review logs for suspicious activity.
“We have yet to see any other websites targeted, which makes us believe that this attack was a generic, non-targeted attack aimed at facebook.com advertising users,” Cyberhaven said.
The geographical scope of the attack remains unclear, but the implications are global, given the widespread use of Chrome extensions.
Browser extensions, often seen as harmless tools for enhancing web browsing experiences, have become a soft target for cybercriminals due to the extensive permissions they are granted, which can include access to cookies, identity information, and more.
This incident underscores the vulnerability of browser extensions and the need for heightened security measures. The ongoing investigation aims to uncover the full extent of the breach and identify the perpetrators behind this widespread campaign.
As the digital landscape continues to evolve, this attack serves as a stark reminder for both developers and users to remain vigilant about the security of browser extensions, ensuring they are updated regularly and sourced from reputable providers.c