16 Chrome Extensions Put Over 600,000 Users at Risk of Data Theft, Compromising ‘Cyberhaven’

• A novel phishing campaign targeting developers leveraged legitimate browser extensions listed on the Chrome Web Store.
• Cybersecurity firm Cyberhaven disclosed the compromise of its Chrome extension, which allowed hackers to inject malicious code.
• The sophisticated malicious code targeted Facebook identity and business account tokens.

A new large-scale attack targeting popular Chrome browser extensions has compromised at least 16 extensions, exposing over 600,000 users to potential data theft and credential exposure, including cybersecurity firm Cyberhaven.

The sophisticated campaign involved phishing attacks against developers, allowing attackers to utilize valid permissions to inject malicious code into legitimate extensions. One of the first targets was Cyberhaven, which disclosed its browser extension had been compromised on December 27. 

The attack primarily targeted publishers of browser extensions listed on the Chrome Web Store. Threat actors sent phishing emails impersonating Google Chrome Web Store Developer Support, claiming that an urgent violation of Developer Program Policies required immediate action to avoid extension removal. 

Victims were redirected to authorize a malicious OAuth application, “Privacy Policy Extension,” which granted attackers access. Once permissions were secured, malicious extensions were uploaded to the Chrome Web Store and approved following standard security checks. 

Hackers exploited the access to inject malicious code leading to communication with an external command-and-control (C2) server hosted on “cyberhavenext[.]pro,” exfiltrating sensitive user data, including authentication cookies and access tokens.  

"This type of attack highlights browser extensions as a vulnerable entry point. These tools, often with extensive permissions, can expose sensitive user information such as cookies, access tokens, and identity data," warns Or Eshed, CEO of LayerX Security.  

Following Cyberhaven’s disclosure, additional compromised Chrome extensions communicating with the same C2 server were uncovered. 

Notable examples include widely used extensions such as “GPT 4 Summary with OpenAI,” “AI Assistant – ChatGPT and Gemini for Chrome,” and “VPNCity.” Cybersecurity firm Secure Annex has identified at least 16 suspect extensions and notes the campaign could date back to as early as April 2023. 

Secure Annex’s founder, John Tuckner, confirmed related malicious code indicators were found across several exposed extensions, connecting the attacks via associated domains “nagofsg[.]com” and “sclpfybn[.]com.” The affected extensions include Reader Mode, Rewards Search Automator, Bookmark Favicon Changer, Earny – Up to 20% Cash Back, and TinaMInd AI Assistant, among others.

Perhaps most concerning, the sophisticated malicious code targeted Facebook identity and business account tokens, raising risks of account hijacking and the exposure of sensitive business data.  

While quick action led to the removal of malicious versions of extensions from the Chrome Web Store, considerable threats persist, as compromised extensions that remain active on user devices still allow threat actors to exfiltrate sensitive data. 

The compromised Cyberhaven browser extension was active for approximately 24 hours before removal.
Recently, phishing attacks targeted defense giant General Dynamics, exposing employee personal and financial data.