Critical Advisory: Google Chrome Extensions Hacked

In a stark reminder of the ever-evolving threats in cyberspace, multiple popular Google Chrome extensions have been hacked. These compromised extensions put millions of users at risk, as attackers exploit their widespread usage to deliver malicious payloads or steal sensitive information. Let’s break down what happened, how it impacts you, and steps you can take to secure your online activity.

What Happened?

Cybersecurity firm Cyberhaven was the first known victim to report this Chrome extension compromise. On December 27, Cyberhaven revealed that attackers injected malicious code into their browser extension, connecting to a Command and Control (C&C) server. The breach occurred after a phishing attack on a Cyberhaven employee, granting access to their Chrome Web Store account. The hacker uploaded a malicious version of the extension, which was removed within 60 minutes.

The attack targeted Chrome browsers with auto-updates, potentially exfiltrating cookies and authenticated session tokens. Cyberhaven advised customers to update to version 24.10.5 or newer, revoke passwords lacking FIDOv2, and review activity logs.
Cyberhaven suspects this attack is part of a larger campaign targeting Chrome extension developers, specifically aiming at social media advertising and AI platform logins.

Why This Matters

It wasn’t just Cyberhaven that was targeted by hackers.  In this Reuters article, they site a wide variety of Chrome Extension providers having been targeted and compromised to release hackers versions of Chrome Extensions over the holidays when cybersecurity teams are on vacation and the maximum damage can be done.  CyberNews reported 25 extensions impacting 2 million people were potentially impacted by this string of targeted attacks.

Chrome extensions are often granted extensive permissions to access sensitive data, such as:

• Browsing activity.
• Login credentials.
• Personal information stored in browsers.

A compromised extension can leverage these permissions to cause significant harm, such as stealing financial details, spreading malware, or compromising corporate networks.

Key Takeaway: A single compromised extension can turn your browser into a gateway for attackers.

Extensions That May Be Compromised:

Here’s an initial list or reported extensions alleged to have been compromised.  If you operate one of these, either upgrade to a known good version or disable and uninstall until a known good version has been released.

• AI Assistant – ChatGPT and Gemini for Chrome
• Bard AI Chat Extension
• GPT 4 Summary with OpenAI
• Search Copilot AI Assistant for Chrome
• TinaMind AI Assistant
• Wayin AI
• VPNCity
• Internxt VPN
• Vindoz Flex Video Recorder
• VidHelper Video Downloader
• Bookmark Favicon Changer
• Castorus
• Uvoice
• Reader Mode
• Parrot Talks
• Primus

How to Protect Yourself

1. Audit Your Extensions Regularly

   • Remove extensions you no longer use.
   • Research the credibility of extensions before installing them.

2. Be Alert to Updates

   • Malicious actors often compromise extensions during updates. Monitor update logs for suspicious changes or newly added permissions.

3. Restrict Permissions

   • Only grant extensions the permissions they need to function. Avoid extensions that ask for excessive access.

4. Monitor Browser Activity

   • Be wary of unexpected redirects, pop-ups, or unauthorized changes to your browser settings.

5. Use Reliable Tools

   • Consider using security software or browser tools that detect malicious behavior.

The Bigger Picture

This incident underscores the broader vulnerabilities in browser-based ecosystems.  It also underscores the importance of teaching your end users how to spot and avoid Phishing attack emails with regular positive reinforcement training similar to what CyberHoot provides in our innovative product.

Extensions, though convenient, are a double-edged sword. Their integration with your browser can either enhance productivity or become a significant security risk.

Final Thoughts:

Cybersecurity is a shared responsibility. While tech companies must fortify their platforms, users should adopt proactive habits to stay secure.
By staying informed and cautious, you can protect yourself from these evolving threats. Review your extensions today—don’t let a small tool become a big problem.