Article
Spear Phishing Campaign Targets Chrome Extension Developers, Compromises 20 Extensions
A screenshot showing the phishing email sent to Cyberhaven extension developers.
Credit: Amit Assaraf
A link in the email led to a Google consent screen requesting access permission for an OAuth application named Privacy Policy Extension. A Cyberhaven developer granted the permission and, in the process, unknowingly gave the attacker the ability to upload new versions of Cyberhaven’s Chrome extension to the Chrome Web Store. The attacker then used the permission to push out the malicious version 24.10.4.
Screenshot showing the Google permission request.
Credit: Amit Assaraf
Attack Details
As word of the attack spread in the early hours of December 25, developers and researchers discovered that other extensions were targeted, in many cases successfully, by the same spear phishing campaign. John Tuckner, founder of Secure Annex, a browser extension analysis and management firm, said that as of Thursday afternoon, he knew of 19 other Chrome extensions that were similarly compromised. In every case, the attacker used spear phishing to push a new malicious version and custom, look-alike domains to issue payloads and receive authentication credentials. Collectively, the 20 extensions had 1.46 million downloads.
Impact
"For many I talk to, managing browser extensions can be a lower priority item in their security program," Tuckner wrote in an email. "Folks know they can present a threat, but rarely are teams taking action on them. We’ve often seen in security that one or two incidents can cause a reevaluation of an organization’s security posture. Incidents like this often result in teams scrambling to find a way to gain visibility and understanding of impact to their organizations."
Timeline
The earliest compromise occurred in May 2024. Tuckner provided the following spreadsheet:
| Name | ID | Version | Patch | Available | Users | Start | End |
|---|---|---|---|---|---|---|---|
| VPNCity | nnpnnpemnckcfdebeekibpiijlicmpom | 2.0.1 | FALSE | 10,000 | 12/12/24 | 12/31/24 | |
| Parrot Talks | kkodiihpgodmdankclfibbiphjkfdenh | 1.16.2 | TRUE | 40,000 | 12/25/24 | 12/31/24 | |
| … | … | … | … | … | … | … | … |
But Wait, There’s More
One of the compromised extensions is called Reader Mode. Further analysis showed it had been compromised not just in the campaign targeting the other 19 extensions but in a separate campaign that started no later than April 2023. Tuckner said the source of the compromise appears to be a code library developers can use to monetize their extensions. The code library collects details about each web visit a browser makes. In exchange for incorporating the library into the extensions, developers receive a commission from the library creator.
Conclusion
The attack highlights the importance of securing browser extensions and managing them effectively. Developers should be aware of the risks involved and take necessary measures to protect their extensions and users.
FAQs
Q: How did the attack work?
A: The attack started with a spear phishing email sent to Cyberhaven extension developers, which led to a Google consent screen. The developer granted permission, allowing the attacker to upload new versions of the extension to the Chrome Web Store.
Q: How many extensions were compromised?
A: 20 extensions were compromised, with 1.46 million downloads collectively.
Q: What was the impact of the attack?
A: The attack resulted in a reevaluation of organizations’ security posture and a scramble to gain visibility and understanding of the impact to their organizations.
Q: What is the source of the compromise?
A: The source of the compromise appears to be a code library developers can use to monetize their extensions.
