On December 25th, 2024, a malicious version of Cyberhaven's browser extension was published on the Chrome Store that allowed the attacker to hijack authenticated sessions and exfiltrate confidential information. The malicious extension was available for download for more than 30 hours before being removed by Cyberhaven. The data loss prevention company declined to comment on the extent of the impact when approached by the press, but the extension had over 400,000 users on the Chrome Store at the time of the attack.
The attack begins with a phishing email impersonating Chrome Store containing a supposed violation of the platform's 'Developer Agreement', urging the receiver to accept the policies to prevent their extension from being removed from Chrome Store. Upon clicking on the policy button, the user gets prompted to connect their Google account to a 'Privacy Policy Extension', which grants the attacker access to edit, update and publish extensions on the developer's account.
Even the most rigorous security teams typically do not monitor subsequent updates once an extension is whitelisted. SquareX has conducted extensive research into browser security and emphasizes the need for organizations to scrutinize browser extensions used by employees.
Collection
[
|
...
]