Full Report
Two separate campaigns have been stealing credentials and browsing history for months.
Analysis Summary
# Incident Report: Mass Compromise of Chrome Extensions via OAuth Phishing
## Executive Summary
A sophisticated, multi-month campaign targeted the development pipelines of numerous Google Chrome extensions, leading to the infection of approximately 2.6 million devices. Attackers leveraged a targeted spear-phishing campaign against developers to gain legitimate OAuth permissions, allowing them to upload malicious updates containing credential-stealing payloads. The immediate impact centered on the potential theft of browser cookies and authentication credentials, particularly for Facebook and potentially ChatGPT.
## Incident Details
- Discovery Date: December 25, 2024 (with earliest known compromise starting May 2024)
- Incident Date: Ongoing campaigns, with peak malicious deployment around Christmas 2024.
- Affected Organization: At least 33 distinct Chrome extensions/developers, including Cyberhaven.
- Sector: Technology, Software Security, General Consumers.
- Geography: Global (Chrome Web Store distribution).
## Timeline of Events
### Initial Access
- **Date/Time:** Attackers began targeting developers as early as May 2024. The final push impacting major extensions occurred around Christmas Eve/Morning 2024.
- **Vector:** Spear phishing directed at extension developers.
- **Details:** Developers received emails impersonating Google, claiming non-compliance with terms of service, prompting urgent action. This led them to authorize an OAuth application named "Privacy Policy Extension."
### Lateral Movement
- Attackers did not need to move laterally within target networks; instead, they moved laterally within the **Chrome Web Store ecosystem** by poisoning the supply chain of multiple, unrelated extensions using the compromised developer credentials.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Malicious payloads were designed to scour user devices for browser cookies and authentication credentials, specifically targeting `facebook.com`. One recovered payload also targeted `chatgpt.com`.
### Detection & Response
- **How it was discovered:** Data loss prevention service Cyberhaven detected malicious code update (v24.10.4) in their own extension on December 25th.
- **Response actions taken:** The affected Cyberhaven extension was patched rapidly (v24.10.5, then v24.10.6). Researchers identified 19 other compromised extensions, often pushing out patches to affected users.
## Attack Methodology
| Category | Details |
| :--- | :--- |
| **Initial Access** | Spear Phishing targeting extension developers, tricking them into granting OAuth permissions. |
| **Persistence** | Maintaining access via stolen long-lived OAuth tokens, enabling the attackers to push subsequent malicious versions to the Chrome Web Store. |
| **Privilege Escalation** | Gaining the ability to upload new, signed versions of extensions to the official Web Store without developer knowledge. |
| **Defense Evasion** | Leveraging trust in the official Chrome Web Store distribution channel. Payload delivery was dynamic via external domains (`cyberhavenext[.]pro`). |
| **Credential Access** | Stealing browser cookies and authentication credentials for high-value domains (`facebook.com`, `chatgpt.com`). |
| **Discovery** | Not explicitly detailed, but internal reconnaissance likely occurred to identify valid developer email addresses and target application functionalities. |
| **Lateral Movement** | Supply chain injection across multiple extensions concurrently. |
| **Collection** | Scouring user devices for specific credential/cookie files associated with target domains. |
| **Exfiltration** | Implicit, via connection to attacker-controlled command-and-control infrastructure hosted on look-alike domains. |
| **Impact** | Theft of user session data (cookies) and authentication credentials from potentially millions of users. |
## Impact Assessment
- **Financial:** Not explicitly disclosed, but significant investigation and remediation costs for affected enterprises.
- **Data Breach:** Potentially **2.6 million devices** potentially exposed. Data compromised includes browser cookies and login credentials for major services (Facebook, ChatGPT).
- **Operational:** Minimal direct operational impact on the extension developers, outside of the immediate security crisis management. Users experienced silent data compromise.
- **Reputational:** Negative impact on user trust regarding the security of the Chrome Web Store ecosystem and extension vetting processes.
## Indicators of Compromise
*Note: Defanged IP/URL structure based on context.*
- **Network indicators:** `cyberhavenext[.]pro` (Malicious C2 domain used for payload delivery).
- **File indicators:** Specific malicious payloads associated with version 24.10.4 of the Cyberhaven extension.
- **Behavioral indicators:** Browser extensions silently updating to malicious versions and initiating HTTP conversations with suspicious domains to download and execute unauthorized code.
## Response Actions
- **Containment Measures:** Developers quickly released new, clean versions of their extensions (e.g., Cyberhaven v24.10.5) to overwrite the malicious code in users' browsers.
- **Eradication Steps:** Affected users were advised to change passwords and authentication credentials for affected services.
- **Recovery Actions:** Organizations were urged to conduct audits of installed extensions, revoke lingering OAuth permissions, and implement strict browser asset management policies.
## Lessons Learned
- **Supply Chain Risk in Extensibility:** Browser extensions represent a highly trusted, yet often poorly managed, vector for supply chain attacks, relying heavily on developer security practices.
- **Efficacy of OAuth Attacks:** Spear phishing targeting developer accounts to leverage legitimate platform permissions (like Chrome Web Store publishing rights) is a highly effective infiltration technique.
- **Blind Trust in Updates:** Automated extension updates can rapidly deploy malicious code if the developer pipeline is compromised.
## Recommendations
- **Browser Asset Management:** Organizations should immediately implement software asset management focusing on browser extensions, limiting installation to a pre-approved whitelist.
- **Strict OAuth Review:** Developers must exercise extreme caution when granting third-party OAuth permissions, especially concerning publishing rights.
- **User Remediation:** All users of the identified 33 extensions should immediately reset credentials for any sensitive sites accessed while the malicious version was active.