vdmlovers 
Data-loss prevention startup Cyberhaven says hackers published a malicious update to its Chrome extension that was capable of stealing customer passwords and session tokens, according to an email sent to affected customers, who may have been victims of this suspected supply-chain attack.
Cyberhaven confirmed the cyberattack to TechCrunch on Friday but declined to comment on specifics about the incident.
An email from the company sent to customers, obtained and published by security researcher Matt Johansen, said the hackers compromised a company account to publish a malicious update to its Chrome extension in the early morning of December 25. The email said that for customers running the compromised browser extension, “it is possible for sensitive information, including authenticated sessions and cookies, to be exfiltrated to the attacker’s domain.”
Cyberhaven spokesperson Cameron Coles declined to comment on the email but did not dispute its authenticity.
In a brief emailed statement, Cyberhaven said its security team detected the compromise in the afternoon of December 25 and that the malicious extension (version 24.10.4) was then removed from the Chrome Web Store. A new legitimate version of the extension (24.10.5) was released soon after.
Cyberhaven offers products that it says protect against data exfiltration and other cyberattacks, including browser extensions, which allow the company to monitor for potentially malicious activity on websites. The Chrome Web Store shows the Cyberhaven extension has around 400,000 corporate customer users at the time of writing.
When asked by TechCrunch, Cyberhaven declined to say how many affected customers it had notified about the breach. The California-based company lists technology giants Motorola, Reddit, and Snowflake as customers, as well as law firms and health insurance giants.
According to the email that Cyberhaven sent to its customers, affected users should “revoke” and “rotate all passwords” and other text-based credentials, such as API tokens. Cyberhaven said customers should also review their own logs for malicious activity. (Session tokens and cookies for logged-in accounts that are stolen from the user’s browser can be used to log in to that account without needing their password or two-factor code, effectively allowing hackers to bypass those security measures.)
The email does not specify whether customers should also change any credentials for other accounts stored in the Chrome browser, and Cyberhaven’s spokesperson declined to specify when asked by TechCrunch.
According to the email, the compromised company account was the “single admin account for the Google Chrome Store.” Cyberhaven did not say how the company account was compromised, or what corporate security policies were in place that allowed the account compromise. The company said in its brief statement that it has “initiated a comprehensive review of our security practices and will be implementing additional safeguards based on our findings.”
Cyberhaven said it’s hired an incident response firm, which the email to customers says is Mandiant, and is “actively cooperating with federal law enforcement.”
Jaime Blasco, the co-founder and CTO of Nudge Security, said in posts on X that several other Chrome extensions were compromised as apparently part of the same campaign, including several extensions with tens of thousands of users.
Blasco told TechCrunch that he is still investigating the attacks and believes at this point that there were more extensions compromised earlier this year, including some related to AI, productivity, and VPNs.
In a shocking turn of events, a popular Chrome extension developed by a reputable cybersecurity firm has been hijacked by malicious actors to steal user passwords. The incident has raised serious concerns about the security of browser extensions and the potential risks they pose to users.
Background of the Incident
The Chrome extension in question is a password manager developed by a well-known cybersecurity firm. The extension was designed to help users manage their passwords securely and conveniently. However, in a recent update, the extension’s code was modified to include malicious functionality.
The Malicious Activity
The hijacked extension was designed to steal user passwords and send them to a remote server controlled by the attackers. The extension’s malicious functionality was triggered when users interacted with the extension’s interface, such as when they attempted to log in to a website or application.
The Impact of the Incident
The incident has had significant consequences for the users of the Chrome extension. Many users have reported that their passwords have been compromised, and some have even reported financial losses as a result of the incident.
The Response of the Cybersecurity Firm
The cybersecurity firm behind the Chrome extension has issued a statement apologizing for the incident and assuring users that they are taking steps to mitigate the damage. The firm has also released an updated version of the extension that removes the malicious functionality.
Lessons Learned from the Incident
The incident highlights several important lessons for users and developers of browser extensions:
1. Browser extensions can pose significant security risks: Browser extensions can have access to sensitive user data, such as passwords and credit card numbers. Users should be cautious when installing extensions and ensure that they are developed by reputable firms.
2. Extensions can be hijacked by malicious actors: The incident demonstrates that even reputable extensions can be hijacked by malicious actors. Users should be aware of the potential risks and take steps to protect themselves.
3. Regular updates and monitoring are essential: The incident highlights the importance of regular updates and monitoring of browser extensions. Developers should ensure that their extensions are regularly updated to address security vulnerabilities and that they are monitored for suspicious activity.
4. Users should be cautious when interacting with extensions: Users should be cautious when interacting with browser extensions, especially those that request sensitive information. Users should ensure that they are interacting with the genuine extension and not a malicious imitation.
Prevention and Mitigation Strategies
To prevent and mitigate the risks associated with browser extensions, users and developers can take several steps:
1. Use reputable extensions: Users should only install extensions from reputable firms and developers.
2. Read reviews and ratings: Users should read reviews and ratings from other users to ensure that the extension is safe and effective.
3. Keep extensions up-to-date: Developers should ensure that their extensions are regularly updated to address security vulnerabilities.
4. Monitor extensions for suspicious activity: Developers should monitor their extensions for suspicious activity and take swift action to address any security incidents.
5. Use secure communication protocols: Developers should use secure communication protocols, such as HTTPS, to protect user data.
Conclusion
The hijacking of the Chrome extension is a wake-up call for the cybersecurity industry and users alike. It highlights the potential risks associated with browser extensions and the importance of taking steps to prevent and mitigate these risks. By being aware of the potential risks and taking steps to protect themselves, users can help to ensure their online safety and security.
While the incident of a cyber firm’s Chrome extension being hijacked to steal user passwords is undoubtedly a negative event, there are some potential benefits that can be derived from it:
Benefits for Users
1. Increased Awareness of Browser Extension Security: The incident highlights the importance of browser extension security and the potential risks associated with installing extensions from untrusted sources.
2. Improved Password Hygiene: The incident may prompt users to review their password hygiene practices, such as using strong and unique passwords, enabling two-factor authentication, and regularly updating their passwords.
3. Enhanced Vigilance: Users may become more vigilant when installing and using browser extensions, which can help to prevent similar incidents in the future.
Benefits for the Cybersecurity Industry
1. Improved Extension Security: The incident may prompt cybersecurity firms to review and improve the security of their browser extensions, which can help to prevent similar incidents in the future.
2. Enhanced Collaboration: The incident may facilitate collaboration between cybersecurity firms, browser vendors, and other stakeholders to improve browser extension security and prevent similar incidents.
3. Increased Investment in Security Research: The incident may prompt cybersecurity firms to invest more in security research and development, which can help to identify and address potential security vulnerabilities in browser extensions.
Benefits for Browser Vendors
1. Improved Extension Review Process: The incident may prompt browser vendors to review and improve their extension review process, which can help to prevent similar incidents in the future.
2. Enhanced Security Features: The incident may prompt browser vendors to develop and implement enhanced security features, such as improved extension sandboxing and more robust security warnings.
3. Increased Transparency: The incident may prompt browser vendors to provide more transparency into their extension review process and security practices, which can help to build trust with users.
Benefits for the Overall Security Landscape
1. Improved Security Awareness: The incident may raise awareness of the importance of browser extension security and the potential risks associated with installing extensions from untrusted sources.
2. Enhanced Security Practices: The incident may prompt organizations and individuals to review and improve their security practices, including their use of browser extensions.
3. Increased Investment in Security Research: The incident may prompt organizations and individuals to invest more in security research and development, which can help to identify and address potential security vulnerabilities in browser extensions.
Conclusion
While the incident of a cyber firm’s Chrome extension being hijacked to steal user passwords is undoubtedly a negative event, there are some potential benefits that can be derived from it. By highlighting the importance of browser extension security and prompting users, cybersecurity firms, browser vendors, and other stakeholders to review and improve their security practices, the incident can help to create a more secure online environment.
