SquareX, an industry-first Browser Detection and Response (BDR) solution, leads the way in browser security. About a week ago, SquareX reported large-scale attacks targeting Chrome Extension developers aimed at taking over the Chrome Extension from the Chrome Store.
On December 25th, 2024, a malicious version of Cyberhaven’s browser extension was published on the Chrome Store that allowed the attacker to hijack authenticated sessions and exfiltrate confidential information.
The malicious extension was available for download for more than 30 hours before being removed by Cyberhaven. The data loss prevention company declined to comment on the extent of the impact when approached by the press, but the extension had over 400,000 users on the Chrome Store at the time of the attack.
Unfortunately, the attack took place as SquareX’s researchers had identified a similar attack with a video demonstrating the entire attack pathway just a week before the Cyberhaven breach.
The attack begins with a phishing email impersonating Chrome Store containing a supposed violation of the platform’s “Developer Agreement”, urging the receiver to accept the policies to prevent their extension from being removed from Chrome Store. Upon clicking on the policy button, the user gets prompted to connect their Google account to a “Privacy Policy Extension”, which grants the attacker access to edit, update and publish extensions on the developer’s account.
Extensions have become an increasingly popular way for attackers to gain initial access. This is because most organizations have limited purview on what browser extensions their employees are using. Even the most rigorous security teams typically do not monitor subsequent updates once an extension is whitelisted.
SquareX researchers, in their extensive study presented at DEFCON 32, highlighted critical vulnerabilities in MV3-compliant Chrome extensions.
They demonstrated how such extensions could be exploited to hijack video stream feeds, silently add unauthorized GitHub collaborators, and exfiltrate session cookies, among other malicious activities.
Attackers can weaponize this vulnerability by either creating an innocuous extension that is later updated with malicious capabilities post-installation or by compromising trusted extensions with substantial user bases such as deceiving their developers into granting unauthorized access.
This was notably seen in the Cyberhaven breach, where attackers used a malicious version of an extension to steal corporate credentials across various websites and web applications.
The publicly available developer contact emails listed on the Chrome Web Store exacerbate the issue. These emails, typically intended for bug reports, allow attackers to easily target numerous extension developers simultaneously.
Even in large organizations, support emails are often routed to individual developers who may lack the necessary security expertise to recognize these sophisticated social engineering attacks.
Based on SquareX’s disclosure and the Cyberhaven breach that occurred within a span of two weeks, there is significant evidence to suggest that similar attacks are targeting other browser extension providers on a broad scale.
SquareX strongly recommends that organizations and users exercise rigorous caution when installing or updating browser extensions and perform comprehensive security reviews to mitigate these risks.
SquareX team understands that it can be non-trivial to evaluate and monitor every single browser extension in the workforce amidst all the competing security priorities, especially when it comes to zero-day attacks. As demonstrated in the video, the fake privacy policy app involved in Cyberhaven’s breach was not even detected by any popular threat feeds.
SquareX’s Browser Detection and Response (BDR) solution takes this complexity off security teams by:
- Blocking OAuth interactions to unauthorized websites to prevent employees from accidentally giving attackers unauthorized access to your Chrome Store account
- Blocking and/or flagging any suspicious extension updates containing new, risky permissions
- Blocking and/or flagging any suspicious extensions with a surge of negative reviews
- Blocking and/or flagging installations of sideloaded extensions
- Streamline all requests for extension installations outside the authorized list for quick approval based on company policy
- Full visibility on all extensions installed and used by employees across the organization
SquareX’s founder Vivek Ramachandran warns: “Identity attacks targeting browser extensions similar to this OAuth attack will only become more prevalent as employees rely on more browser-based tools to be productive at work.
Similar variants of these attacks have been used in the past to steal cloud data from apps like Google Drive and One Drive and we will only see attackers get more creative in exploiting browser extensions.
Companies need to remain vigilant and minimize their supply chain risk without hampering employee productivity by equipping them with the right browser native tools.”
About SquareX:
SquareX helps organizations detect, mitigate, and threat-hunt client-side web attacks happening against their users in real-time.
SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware, and other web attacks encompassing malicious files, websites, scripts, and compromised networks.
With SquareX, enterprises can provide contractors and remote workers with secure access to internal applications, and enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions.
For more details, you can reach out to [email protected].